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Do  You  Have  the  Resources  You 
Need  to  Accomplish  Your  Mission? 


Let’s  have  some  fun.  Close  your  eyes  and  try  to  envision 
what  your  security  program  would  look  like  in  an  ideal  world. 


What  resources  would  you  have  access  to? 
What  new  initiatives  would  you  put  in  place? 
What  would  you  do  in  support  of  your  program 
that  you  haven’t  been  able  to  do  in  the  past? 

Now,  let’s  think  about  that  ideal  program 
again.  What’s  holding  you  back?  Is  it  budgetary 
limitations?  Is  it  the  inability  to  get  executive 
sign-on  for  your  ideas?  Is  it  some  other  factor? 

In  this  month’s  cover  story,  CSO  contribu¬ 
tor  Bob  Violino  digs  into  what  some  believe  is  a 
serious  gap  between  what  security  executives 
want  to  accomplish  and  what  they’re  actually 
allowed  to  get  done  in  their  organizations.  Sev¬ 
eral  sources  we  spoke  with  say  that  although 
security’s  position  in  business  has  been  el¬ 
evated  significantly  over  the  past  several  years, 
many  senior-level  executives  still  don't  under¬ 
stand  how  important  security  is  and  what  level 
of  authority  it  needs  within  an  organization. 

This  problem  is  complicated  by  the  report¬ 
ing  structure  for  security  executives.  Whatever 
the  title  is-CSO,  CISO,  VP  of  security-those 
in  charge  of  security  are  often  reporting  to  a 
variety  of  higher-ups,  including  legal,  the  CIO 
and  the  CTO.  One  of  the  sources  CSO  spoke  to 
said  that  this  means  that  security  is  still  seen 
as  a  junior  partner  to  business  leaders.  As 
a  result,  making  the  case  for  adding  extra 
resources,  such  as  more  dedicated  security 
staff,  is  still  a  tough  sell. 

Others  we  asked  disagree,  saying  they  have 
the  support,  resources  and  cross-divisional  co¬ 
operation  they  need  to  accomplish  the  mission 
they  are  tasked  with.  The  responsibility  for 


driving  change  and  gaining  executive  respect 
and  buy-in  for  security  investment  lays  squarely 
on  the  shoulders  of  the  person  with  security  in 
their  title,  they  argue.  Executive  oversight  is  a 
necessary  part  of  the  role,  and  using  it  as  an 
excuse  for  lack  of  accomplishment  is  just  that — 
an  excuse. 

CSO  staff  has  written  a  lot  over  the  years 
about  security’s  increasingly  important  role  in 
business  and  the  level  of  respect  it  has  gained 
at  the  executive  table.  In  this  piece,  we  look  at 
the  other  side  of  that  coin  for  a  different  per¬ 
spective  on  how  the  role  has  evolved  and  why 
some  think  it  still  has  a  long  way  to  go. 

What  do  you  think?  Do  you  have  the  proper 
authority  to  get  your  job  done  effectively? 

Email  me  with  your  feedback. 

-Joan  Goodchild,  Editor, 
jgoodchild@cxo.com 
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It’s  a  Mistake  to  Think  You’re  Safe 


We’ve  seen  some  pretty  shocking  things  these  past  few 
months-businesses  that  understand  risk  management  getting 
burned...and  pretty  badly  so. 


As  we  ground  our  way  through  the  holidays 
toward  New  Year's,  I  expected  that,  at  some 
point,  I  would  receive  a  news  alert  from  CSO's 
editorial  team  about  a  massive  data  breach  at 
a  retailer.  The  holidays  aren't  just  prime  shop¬ 
ping  season  for  John  and  Jane  Public,  they’re 
also  high  season  for  criminals  of  all  varieties, 
from  the  smash-and-grab  kind  to  advanced 
cybercriminals.  So  when  the  alert  came,  I  wasn’t 
surprised.  What  blew  my  hair  back  was  where 
the  breach  had  occurred. 

I’ve  always  viewed  Target  as  one  of  those 
businesses  that  understood  the  importance 
of  good  risk  management  and  security.  When 
I  thought  about  where  I  expected  the  next  big 
breach  to  come  from,  I  would  never  have  cho¬ 
sen  a  business  that  led  the  adoption  of  the  PCI 
standard  and  has  always  been  proactive  in  ad¬ 
dressing  security  risks.  But  there  they  were,  on 
the  front  page  of  every  newspaper  and  the  lead 
story  on  the  six  o’clock  news.  This  is  bad  news 
for  every  business.  If  a  company  that’s  as  good 
at  this  game  as  Target  is  can  get  burned  this 
badly,  what  does  that  say  about  the  majority 
of  businesses  out  there  that  don’t  take  security 
quite  as  seriously? 

I  keep  waiting  for  the  big  watershed  moment 
that  will  get  everyone  to  take  these  risks  seri¬ 
ously.  I  actually  believe  there  will  be  separate 
watershed  moments  for  different  types  of  risks: 
one  for  mobile  devices,  one  for  the  cloud,  and 
so  on.  But  was  this  the  watershed  moment  for 
retailers?  I  hope  so,  but  as  an  old  boss  of  mine 
was  fond  of  saying,  “Hope  is  for  children.”  This 
has  certainly  been  a  wake-up  call  for  Target  and 
it  direct  competitors,  but  for  the  industry  as  a 


whole,  I’m  not  so  sure.  These  things  often  have 
to  hit  a  little  closer  to  home  to  have  that  kind 
of  impact.  I  can  imagine  the  conversations  hap¬ 
pening  at  smaller  retailers— “We’re  too  small  to 
be  a  real  target.”  Instead,  those  conversations 
should  go  more  along  the  lines  of,  “There  but  for 
the  grace  of  God  goes  our  company.”  I  certainly 
heard  a  lot  of  that  from  technology  vendors 
after  RSA  took  its  hit  a  few  years  ago. 

Most  businesses  invest  in  security  to  meet 
regulatory  compliance  standards.  Fewer  will  up 
their  game  to  protect  against  the  big  breach 
events  like  Target  experienced.  But  how  many 
are  thinking  about  those  black  swan,  company- 
imploding  types  of  events?  They  all  should  be. 

Now  it  looks  like  Neiman  Marcus  got  hit  as 
well.  Apologies  for  the  FUD,  but  are  you  next? 

-Bob  Bragdon,  publisher 
bbragdon@cxo.com 
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DDoS  Attacks  Threaten 
Every  Enterprise 

HIGH-VOLUME  ATTACKS  CAN  OVERWHELM  EVEN  THE  MOST 
SOPHISTICATED  ON-PREMISE  DEFENSES;  CLOUD  MITIGATION 
SERVICES  OFFER  INCREASED  PROTECTIONS. 


Market , 
Pulse 


When  anti-spam  services  provider  Spamhaus  was  hit 
with  an  unprecedented  high-volume  distributed  denial- 
of-service  (DDoS)  attack  in  March  2013,  it  was  a  clear 
illustration  that  cyber  assaults  are  now  capable  of  over¬ 
whelming  even  the  most  robust  on-premise  defenses. 

In  a  recent  IDG  Research  Services  survey,  conducted 
in  conjunction  with  Verisign,  only  half  of  the  respon¬ 
dents  indicate  they  are  highly  confident  in  their  ability 
to  detect  DDoS  attacks;  and  even  fewer  are  highly 
confident  in  their  ability  to  successfully  remediate 
such  an  attack.  But  those  who  have  experienced  such 
assaults  may  argue  that  confidence  levels  are  higher 
than  they  should  be.  In  fact,  half  say  it  took  longer  than 
expected  to  remediate  attacks.  Add  to  that  the  fact  that 
attacks  are  becoming  more  sophisticated.  For  example, 
DDoS  perpetrators  can  up  the  ante  with  Domain  Name 
System  (DNS)  amplification  attacks  in  which  the  bots 
are  instructed  to  send  a  DNS  query  and  a  forged  source 
address  to  a  perfectly  legitimate  server,  resulting  in  a 
larger  response  being  sent  back  to  the  actual  owner  of 
that  forged  address.  Attacks  using  thousands  of  name 
servers  can  direct  gigabits  of  data  per  second  against 
the  target,  while  the  actual  bot  used  to  initiate  the 
assault  is  invisible  to  the  victim.  What's  worse,  publicly 
available  DDoS  tools  and  information-sharing  sites  make 
it  easy  for  attackers  to  learn  from  each  successive  wave 
of  assaults  in  order  to  combat  defenses. 

TURNING  TO  THE  CLOUD  FOR  DEFENSE 
With  attackers  able  to  marshal  ever-greater  resources, 
enterprises  are  increasingly  vulnerable  if  they  go  it  alone 
in  building  DDoS  defenses.  Almost  half  of  the  organiza¬ 
tions  polled  are  using  on-premise  solutions  such  as  fire¬ 


walls  and  intrusion  prevention  to  thwart  DDoS  attacks. 

But  even  the  most  sophisticated,  specialized 
on-premise  appliances  are  no  match  for  the  scope  of 
today's  volumetric  attacks.  They  are  also  costly  to  buy 
and  operate,  requiring  constant  attention  to  keep  them 
current.  What's  more,  attackers  may  be  able  to  monitor 
a  target's  defensive  moves  and  change  the  attack 
strategy  midcourse  to  counter  mitigation  strategies, 
making  defense  all  the  more  challenging. 

Cloud-based  services,  though,  provide  advantages 
to  keep  enterprises  up  and  running  in  the  face  of  high- 
volume  assaults.  Cloud  mitigation  service  providers 
have  built  out  massive  amounts  of  network  bandwidth 
and  DDoS  mitigation  capacity  at  multiple  sites  around 
the  Internet.  They  can  work  seamlessly  with  customers 
that  are  multi-honed  with  multiple  ISPs  and  scrub  data 
in  the  cloud  closest  to  the  attack  before  sending  "clean" 
traffic  back  to  the  enterprise's  data  center. 

Additionally,  staffed  round  the  clock  with  security 
specialists  dedicated  to  the  task  of  staying  abreast  of 
the  latest  security  threats  and  assault  tactics,  cloud 
mitigation  service  providers  can  invest  in  numerous 
types  of  DDoS  mitigation  hardware  and  develop  multiple 
layers  of  filtering  that  are  beyond  the  scope  of  most 
enterprises. 

in  the  IDG  Research  Services  survey,  76  percent  of 
respondents  are  using,  considering,  or  may  consider, 
adopting  a  cloud-based  approach. 

Bottom  line:  Effective  protection  against  today's 
sophisticated  assaults  and  potentially  more  sophisti¬ 
cated  attacks  of  the  future  calls  for  a  cloud  defense 
that  bolsters  enterprise  security  with  an  always-on 
service.  ■ 
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For  a  copy  of  the  full  research  report,  go  to  URL : 

http://www.csoonline.com/white-papers/verisign-ddos 


The  Internet  of  Things  Is  Here. 
What’s  Most  Vulnerable? 

Having  many  interconnected  devices  may  be  convenient,  but  it  also  brings  a  bevy  of  new  threats. 
Where  do  we  need  to  be  cautious?  by  david  geer 


THE  INTERNET  OF  THINGS  IS  A  MASS 
of  billions  of  connected  devices  as  varied  as 
cars  and  wireless  wearable  products.  Cisco’s 
Internet  Business  Solutions  Group  estimated 
12.5  billion  connected  devices  existed  globally 
in  2010,  and  predicted  that  number  would 
double  to  25  billion  by  2015. 

As  the  market  booms,  everyone  should  be 
aware  of  these  five  categories  of  devices  that 
are  at  risk  in  the  coming  year. 


In-Car  Wi-Fi 

Revenues  for  connected  cars  sold  in  2013 
should  reach  $21.7  billion,  according  to  ana¬ 
lysts  from  Visiongain,  with  2014  revenues 
even  higher.  This  year,  Ford  and  GM  will  in¬ 
creasingly  offer  in-car  Wi-Fi,  turning  cars  into 
mobile  hotspots  and  connecting  passengers’ 
smartphones,  tablets  and  other  devices  to  the 
Internet,  according  to  John  Pescatore,  director 
of  emerging  trends  at  the  SANS  Institute. 


But  in-car  Wi-Fi  has  the  same  security  vul¬ 
nerabilities  as  traditional  hotspots.  Without 
firewalls,  in-car  devices  and  data  will  be  at 
risk.  Once  inside  the  network,  an  attacker  can 
spoof  the  car’s  system,  connect  to  outside 
data  sources  such  as  OnStar  servers,  and 
collect  the  owner’s  personally  identifiable 
information,  like  credit  card  data,  explains 
Pescatore.  And  that’s  just  one  example— 
there’s  no  limit  to  the  kinds  of  attacks  that  are 
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possible  when  a  hacker  controls  in-car  Wi-Fi, 
passengers’  devices  and  the  car's  identity. 

“CISOs  and  CSOs  at  organizations  with 
people  who  travel  the  country  should  be  wor¬ 
ried  about  these  vulnerabilities  since  hackers 
can  use  these  attacks  to  access  company 
information,”  says  Jerry  Irvine,  CIO  of  Prescient 
Solutions. 

Mobile  Medical  Tools 

“The  market  for  wearable  wireless  devices 
across  sports,  fitness  and  m-health  [mobile 
health]  will  grow  from  42  million  devices  in 
2013  to  171  million  in  2018,”  says  Jonathan  Col¬ 
lins,  lead  analyst  at  ABI  Research.  Hackers  will 
soon  increasingly  attack  mobile  medical  de¬ 
vices  running  Windows,  including  pacemakers, 
according  to  Rodney  Joffe,  senior  technolo¬ 
gist  at  Nuestar.  Traditional  manufacturers  use 
proprietary  embedded  systems  that  are  hard 
to  hack  due  to  their  closed  source  code  and 
restrictions.  But  nontraditional  device  manu¬ 
facturers  often  use  a  form  of  Windows. 

“Windows  is  very  popular  for  those  devices 
because  it  is  cheap,  ubiquitous  and  well- 
known  among  programmers,”  explains  Joffe. 
Unlike  Windows  on  a  desktop  computer,  how¬ 
ever,  there  is  no  patching  mechanism  for  Win¬ 
dows  on  these  devices,  says  Joffe.  The  more 
these  devices  connect  to  the  Internet  through 
wireless  frequencies  such  as  Wi-Fi,  the  more 
viruses  will  spread  among  them. 

CSOs  should  be  concerned  about  remote 
access  to  these  devices  due  to  the  potential 
for  malicious  attacks  on  employees,  health 
information  leaks  and  attacks  on  key  execu¬ 
tives  in  order  to  influence  or  control  the  finan¬ 
cial  stability  of  the  organization,  says  Irvine. 

Wearable  Devices,  Google  Glass 

The  global  wearable  technology  market  was 
worth  $4.6  billion  in  2013,  according  to  Vision- 
gain,  and  will  continue  to  grow  in  2014.  Wear¬ 
able  devices  such  as  Google  Glass  are  a  major 
attack  vector  because  they  automatically 
connect  to  the  Internet  and  they  have  very 
few  if  any  security  measures  built  in. 

Hacking  Google  Glass  could  provide  attack¬ 
ers  with  confidential  corporate  information 
and  intellectual  property.  An  organization 


may  not  know  how  much  or  what  kind  of 
information  a  wearer  absorbs  using  Google 
Glass  as  they  move  through  the  enterprise.  A 
hacker  could  copy  that  audio  and  video. 

“Every  organization  should  write  policies 
for  wearable  devices  that  limit  where  these 
things  can  be  used,  when  they  can  be  used 
and  what  their  acceptable  use  is,”  Irvine  says. 

Retail  Inventory  Monitoring 

Global  revenues  for  wireless  machine-to- 
machine  (M2M)  systems  reached  $50.1  bil¬ 
lion  in  2013,  according  to  Visiongain.  In  2014, 
inventory-management  technologies  will  in¬ 
creasingly  include  inexpensive  3G  cellular  data 
transmitters  on  packages.  These  transmitters 
will  connect  to  the  Internet,  making  these 
applications  vulnerable  to  Internet-based  at¬ 
tacks,  says  Pescatore. 

“These  rudimentary  devices  enable  detec¬ 
tion,  statistical  information  gathering,  remote 
management  and  very  little  else,”  says  Irvine. 
There  are  few  if  any  security  solutions  to  pro¬ 
tect  the  devices  or  limit  device  snooping. 

The  purpose  of  the  new  3G  transmitters 
is  constant,  real-time  position  reporting.  But 
hacktivists  who  would  normally  bombard 
websites  with  denial-of-service  attacks  could 
instead  intercept  these  transmissions  and  tell 
servers  that  Wal-Mart,  for  example,  is  con¬ 
tinually  selling  out  of  its  supply  of  soccer  balls, 
leading  to  massive  soccer  ball  shipments 
bombarding  Wal-Mart  stores,  according  to 
Pescatore.  “Or  hacktivists  or  opportunists 
could  influence  the  stock  price  of  Kellogg’s, 
for  example,  by  over-  or  under-shipping  Corn 
Flakes,"  Pescatore  says. 

Enterprises  must  securely  configure  these 
inventory  control  and  M2M  systems  and 
segment  them  onto  secure,  inaccessible, 
encrypted  frequencies.  That’s  not  happening 
today.  “I  can  go  in  with  a  wireless  frequency 
scanner  and  see  communications  occurring. 
Once  I  detect  it,  I  can  see  what  it  the  fre¬ 
quency  and  signal  are.  And  once  I  see  that,  I 
can  affect  its  communications,”  Irvine  says. 

Private-Sector  Drones 

In  February  of  2012,  Congress  established  the 
FAA  Modernization  and  Reform  Act,  which 


includes  numerous  provisions  for  unmanned 
aircraft.  The  general  thrust  is  that  the  FAA  will 
allow  the  inclusion  of  drones  in  the  nation¬ 
al  airspace  system  by  2015.  “Drones  will  be 
prevalent  across  the  country  five  years  from 
now,”  says  Erik  Cabetas,  managing  partner  at 
Include  Security.  CSOs  should  start  to  plan  for 
drone  security  now. 

“Because  drones  rely  on  vulnerable  teleme¬ 
try  signals,  attackers  can  leverage  them  using 
any  of  the  classic  attacks,  including  buffer 
overruns,  format  strings,  SQL  injections  and 
authentication  bypasses,”  says  Cabetas. 

Several  drones  have  already  been  suc¬ 
cessfully  attacked.  In  2009,  insurgents  in 
the  Middle  East  intercepted  Predator  drone 
signals  due  to  a  failure  to  use  secure  pro¬ 
tocols,  according  to  Cabetas.  This  enabled 
the  insurgents  to  spy  on  what  the  Predators 
were  spying  on  via  video  feed.  Without  secure 
protocols,  similar  attacks  are  possible  with 
domestic  drones. 

And  in  a  2012  case,  Texas  A&M  college 
students,  by  invitation  of  Homeland  Security, 
spoofed  the  university  drone’s  GPS  sig¬ 
nals,  slipping  incorrect  location  data  into  its 
navigation  computers,  causing  it  to  crash, 
Cabetas  says. 

“But  the  scariest  thing  we’ve  seen  so  far 
was  accomplished  by  the  winner  of  the  2012 
DroneGames,  a  drone  programming  contest. 
The  winner  created  a  virus  that  took  over  any 
drone  that  came  close  to  the  infected  drone,” 
says  Cabetas.  Using  a  single  vulnerability  in 
the  homogenous  firmware  of  the  drones,  an 
attacker  could  fill  the  skies  with  drones  ready 
to  follow  his  every  command. 

In  a  couple  years,  drones  will  be  standard 
components  of  physical  penetration  test¬ 
ing,  corporate  espionage  and  hacker  attacks, 
according  to  Cabetas.  “Attackers  could  take 
high-resolution  photos  and  videos  in  windows 
(looking  for  passwords  on  sticky  notes  and 
other  sensitive  data).  They’ll  be  able  to  plant 
high-fidelity  microphones  for  eavesdropping 
on  the  outside  of  sensitive  rooms  (conference 
rooms,  CEO  offices).” 


■  David  Geer  is  a  freelance  writer  and  fre¬ 
quent  contributor  to  CSO. 
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Stopping  Attacks  Before  They  Begin 


WE  MOST  OFTEN  HEAR  OF 
security  breaches  due  to  cross¬ 
site  scripting  and  SQL  injection 
attacks  after  the  related  vulner¬ 
abilities  have  been  successfully 
exploited.  But  what  could  we  do 
to  prevent  such  attacks  occurring 
in  the  first  place? 

A  comprehensive  security 
program  and  team  will  not  only 
react  to  incidents  and  exploits, 
but  also  work  with  the  in-house 
information  systems  teams  to 
build  in  proactive  security  mea¬ 
sures.  An  effective  proactive 
application  security  program 
relies  on  three  types  of  security 
testing:  static  and  dynamic  secu¬ 
rity  scan  testing,  and  manual 
penetration  testing. 

A  static  scan  is  typically  run 
during  the  code  development 
cycle.  The  static  code  is  scanned 
and,  through  threat  modeling  and 
analysis,  security  flaws  are  uncov¬ 
ered.  A  dynamic  scan  is  a  scan 
of  the  actual  code  in  a  working 
environment  that  finds  vulnera¬ 
bilities  while  the  code  is  running.  A 


manual  penetration  test  involves 
human  interaction  through  white- 
hat  analysis. 

An  effective  automated  code 
scanning  strategy  must  be  as 
painless  as  possible  for  the  IT 
development  team.  The  key  to 
success  is  to  require  the  least 
possible  amount  of  additional 
work  from  IT  teams. 

The  main  obstacles  to  the 
successful  adoption  of  a  security 
code  scanning  program  are: 

Manual  scan  effort.  Code 
scanning  that  requires  manual 
effort  to  upload  the  code,  wheth¬ 
er  by  API  or  through  a  Web  portal, 
means  additional  development 
time  and  effort. 

Manual  process.  Code  scan¬ 
ning  that  is  out  of  cycle  with  the 
development  process  needs  a 
process  to  established  time  lines 
for  scanning  and  time  between 
scans.  Dedicated  resources  must 
manage  the  program  to  ensure 
that  reminders  are  set  and  scans 
are  completed  on  due  dates. 

Code  coverage.  An  old  adage 


in  testing  is  that  you  can’t  test 
what  you  don't  know.  Out-of- 
cycle  testing  that  requires  a 
developer  to  upload  code  is  also 
dependent  on  the  developer  to 
upload  the  correct  code  for  static 
code  scanning.  Verification  that 
all  the  libraries  and  dependent 
code  have  been  uploaded  is  a 
near  impossible  task  for  the 
security  team  maintaining  the 
program.  A  single  file  could  be 
uploaded  for  static  scanning  and 
the  resultant  scan  would  show 
as  passed  on  a  dashboard,  unless 
someone  manually  verified  that 
the  file  uploaded.  For  a  large  pro¬ 
gram,  it's  a  very  time-consuming 
process  to  verify  across  hundreds 
of  security  scans. 

An  effective  static  and 
dynamic  code  scanning  program 
has  four  key  elements: 

IOn-premise.  A  scanning 
program  that  is  on-premise 
and  linked  to  the  source  control 
system  removes  the  need  for  a 
developer  to  find  the  code,  do 
special  compiles  and  upload  the 
code.  Instead,  the  right  location 
of  the  code  is  selected  in  the 
source  control  tree  and  regular 
scanning  is  set  up  for  all  child 
files.  Having  the  tools  on-premise 
also  makes  dynamic  scanning 
easier,  since  you  don’t  have  to 
change  any  firewall  rules  to  allow 
access  for  external  tools  from  the 
scan  test  provider. 

2  Continuous  scanning. 
On-premise  systems  can 
be  set  up  for  continuous  scan¬ 
ning,  which  does  not  require 
manual  intervention  to  upload 
the  code.  On-premise  systems 
can  also  be  configured  to  scan 


continuously  or  periodically,  and 
can  scan  far  more  frequently  than 
a  manually  uploaded,  manually 
configured  scan. 

3  Tight  integration  with 
the  development  build 
cycle.  A  tightly  integrated  scan¬ 
ning  program  allows  for  code 
scanning  to  use  many  features 
of  the  source  control  and  build 
systems.  For  example,  advanced 
development  teams  using  contin¬ 
uous  build  integration  from  their 
source  control  can  configure  the 
build  system  to  pass  certain  tests 
before  a  build  can  be  checked  in 
to  the  main  code  base. 

4  Tight  integration  with 
the  defect  tracking  sys¬ 
tem.  Most  modern  source  control 
and  build  systems  are  also  tightly 
integrated  with  the  defect  track¬ 
ing  system  so  that  a  software 
defect  can  be  tied  to  a  particu¬ 
lar  version  of  code,  which  in  turn 
can  be  tied  to  a  particular  system 
build.  A  code  scanning  program 
that  can  automatically  identify 
defects  in  the  defect  manage¬ 
ment  system  will  seamlessly 
integrate  security  defects  into  the 
team  defect  backlog. 

Effective  proactive  security 
requires  code  scanning  to  be  as 
unobtrusive  in  the  application 
development  cycle  as  possible. 
The  more  the  security  scan  can 
work  like  an  existing  develop¬ 
ment  process,  the  better  chance 
it  has  of  being  successfully 
adopted  and  continuously  used 
by  the  development  teams. 

-George  Viegas  is  director  of 
information  security  at  a  leading 
multinational  information  and 
media  company. 
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Gaming’s  Popularity  Makes 
It  a  Prime  Target  for  Hackers 


KASPERSKY  LAB  EXPERTS  Discov¬ 
ered  that  PC  gamers  around  the  globe  were 
hit  by  11.7  million  attacks  in  2013. 

Currently,  Kaspersky  Lab  knows  of  4.6 
million  pieces  of  gaming-focused  malware, 
and  these  kinds  of  weapons  are  used  in  an 
average  of  34,000  attacks  daily. 

Russian  gamers  were  the  worst  hit, 
as  hackers  made  8,813,050  attempts  on 
them  in  2013.  Vietnam  was  in  second  with 
503,947,  followed  by  China  with  376,058. 

“Gaming  has  an  ever-increasing  fan  base, 
which  also  means  that  the  number  of  po¬ 
tential  victims  for  cybercriminals  is  rising 
as  well.  The  cybercriminals  are  taking  a  lot 
of  effort  into  their  attacks,  and  we  can  see 
the  upsurge  in  sophistication.  Especially 
in  times  like  Christmas,  when  a  lot  of  new 
games  are  being  released,  gamers  need  to 
be  attentive  to  stay  secure,”  says  Christian 
Funk,  a  senior  virus  analyst  on  the  global  re¬ 
search  and  analysis  team  at  Kaspersky  Lab. 

Underground  forums  are  riddled  with 
cyber  crooks  selling  access  to  people’s  gam¬ 
ing  accounts,  like  those  for  the  game  portal 
and  marketplace  Steam. 


The  market  for  usernames  and  pass¬ 
words  is  fuelled  by  attacks  on  the  gaming 
companies  themselves. 

Earlier  this  year,  Kaspersky  Lab  detected 
“a  major  espionage  campaign”  targeting 
the  makers  of  a  range  of  massively  multi¬ 
player  online  games,  stealing  source  code 
and  other  valuable  data. 

Malware  often  targets  specific  games, 
such  as  the  popular  Minecraft.  Earlier  this 
year,  a  fake  Minecraft  tool  built  with  Java 
promised  to  give  the  player  powers  such  as 
banning  other  users,  but  was  stealing  user- 
names  and  passwords  in  the  background. 

When  Grand  Theft  Auto  V  landed  ear¬ 
lier  this  year,  various  sites  offered  fake 
downloads  purporting  to  give  access  the 
record-smashing  game  for  free.  But  when 
users  tried  to  get  the  game,  they  received 
malware— a  classic  example  of  powerful 
names  being  abused  to  lure  victims  into 
downloading  malicious  code. 

Then  there  are  typical  scams,  like  phish¬ 
ing.  Slews  of  fake  emails  are  sent  every 
time  there’s  a  big  gaming  launch,  and 
around  Christmas,  scammers  attempt  to 


lure  users  into  handing  over  data  or 
money  with  the  promise  of  discounts 
or  cheap  gaming  goods. 

Here  are  Kaspersky  Lab’s  top  tips 
for  gaming  security: 

Don’t  click  through  on  any 
offers  that  look  too  good  to 
be  true,  either  in  your  inbox 
or  on  social  networks  like 
Facebook  or  Twitter.  If  an 
offer  comes  through  that  does  look 
legitimate,  ensure  the  sender  is 
trusted  before  clicking  a  link  or  hand¬ 
ing  over  any  details.  If  in  doubt,  con¬ 
tact  the  company  the  sender  claims 
to  be  from. 

Use  strong  and  varied 
passwords  for  all  your  gam¬ 
ing  accounts.  As  we  saw  in  2013, 
gaming  companies  get  hacked  and  logins 
are  leaked.  If  you  don’t  use  different  cre¬ 
dentials  for  each  site,  having  one  set  of 
identifying  information  stolen  means  all 
your  accounts  using  the  same  password 
could  be  compromised.  Consider  investing 
in  a  password  manager,  as  it  will  give  you 
simple,  smart  protection. 

Get  a  good  quality  antivirus 
tool.  With  the  rafts  of  gaming  malware 
out  there  and  the  increasing  sophistication 
of  malicious  software,  you’ll  need  some 
level  of  protection  against  it  all.  If  you  want 
to  stop  the  smartest  malware  from  get¬ 
ting  onto  your  system,  you’ll  need  antivirus 
software  that  goes  beyond  signature-based 
detection  to  look  at  file  reputation. 

Be  careful  who  you  befriend. 

It’s  easy  to  make  friends  in  virtual  worlds 
today,  but  not  everyone  is  doing  so  inno¬ 
cently.  Beware  anyone  who  asks  for  your 
personal  details,  as  they  may  want  to  do 
more  than  just  contact  you. 

Only  download  titles  from 
legitimate  sellers,  if  you’re  download¬ 
ing  an  illegal  copy  of  a  game,  you  aren't  just 
breaking  the  law,  you’re  also  risking  getting 
malware  on  your  machine,  as  crooks  often 
disguise  malicious  software  as  game  files. 

-James  Dartnell, 
IDG  News  Service 
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In  a  Digital 
World,  It’s 
the  (Card) 
Sharks  Who 
Should  Be 
Afraid 


THERE  IS,  APPARENTLY, 
pretty  good  money  in  profes¬ 
sional  poker,  whether  it’s  done 
in  person  or  online.  That  means 
there  is  a  pretty  good  chance  that 
bad  guys  will  be  looking  to  steal 
as  much  of  it  as  they  can. 

And,  as  a  recent  story  out  of 
Barcelona  shows,  miscreants  are 
willing  to  use  a  combination  of 
modern  malware  and  old-fash¬ 
ioned  breaking  and  entering  to 
achieve  their  goals. 

The  victim  in  this  case  is  Jens 
Kyllonen,  a  24-year-old  poker  pro 
from  Finland  who  reportedly  won 
about  $2.5  million  in  the  past 
year.  After  his  laptop  temporar¬ 
ily  went  missing  from  his  room 
at  the  hotel  hosting  a  European 
Poker  Tour  event  in  Barcelona  this 
past  September,  and  he  sought 
help  from  the  Internet  secu¬ 
rity  firm  F-Secure  in  Helsinki  to 
investigate  whether  it  had  been 
compromised. 

It  had.  F-Secure  senior 
researcher  Daavid  Hentunen  and 
director  of  security  response  Antti 


Tikkanen  discovered  a  remote- 
access  Trojan  (RAT)  “with  time- 
stamps  coinciding  with  the  time 
when  the  laptop  had  gone  miss¬ 
ing,”  the  two  wrote  in  a  blog  post. 

“Apparently,  the  attacker 
installed  the  Trojan  from  a  USB 
memory  stick  and  configured  it 
to  automatically  start  at  every 
reboot.”  A  RAT,  they  wrote,  “is 
a  common  tool  that  allows  an 
attacker  to  control  and  moni¬ 
tor  a  laptop  remotely,  viewing 
anything  that  happens  on  the 
machine.” 

Kyllonen  is  not  the  only  vic¬ 
tim.  In  an  email,  Hentunen  said 
he  and  Tikkanen,  “investigated 
six  laptops  pro  bono  to  help 
out  the  potential  victims.”  And 
they  wrote  in  their  post  that  the 
attack  is  now  common  enough 
that  they  thought  it  ought  to 
have  its  own  name:  sharking. 

Hentunen  named  the  attack 
after  the  cardsharks  being 
hunted,  but  later  learned  that 
“sharking"  is  also  slang  for  sneak¬ 
ing  up  behind  a  woman  and 


12  www.csoonline.com  February  2014 


Thinkstock 


pulling  down  her  top  or  her  pants 
while  somebody  else  shoots 
video  of  it. 

“We  didn’t  know  about  it 
beforehand,  [and]  we  decided  it 
didn't  matter,"  he  said.  “'Shark¬ 
ing'  still  seemed  to  be  the  best 
word  describing  the  crime  in 
poker  slang,  so  we  decided  to 
stick  with  it." 

Kyllonen  did  not  respond  to 
a  request  for  comment;  he  had 
posted  on  Twitter  that  he  would 
not  be  doing  interviews.  But  in 
several  lengthy  posts  on  the 
poker  forum  Two  Plus  Two,  he 
complained  about  a  lack  of  secu¬ 
rity  at  the  hotel  and  an  investiga¬ 
tion  that  was  sketchy  at  best. 

He  said  PokerStars,  the  sponsor 
of  the  tournament,  should  have 
put  more  pressure  on  the  hotel  to 
conduct  a  thorough  investigation. 

Kyllonen  was  fortunate  in 
one  respect-he  discovered  his 
laptop  had  been  taken  and  then 
returned.  If  he  hadn’t  noticed, 
Hentunen  and  Tikkanen  said 
the  attackers  likely  would  have 


stolen  a  lot  of  money  from 
him,  since  the  RAT  would  have 
allowed  them  to  see  his  cards  in 
any  online  game.  They  found  the 
same  RAT  on  the  computer  of 
Kylldnen’s  hotel  roommate  at  the 
tournament. 

“This  kind  of  attack  is  very 
generic  and  works  against  any 
online  poker  site  that  we  know 
of.  The  Trojan  is  written  in  Java 
and  uses  obfuscation,  but  isn’t 
all  that  complicated.  Since  it’s 
in  Java,  the  malware  can  run  in 
any  platform  (Mac  OS,  Windows, 
Linux),”  they  wrote. 

While  the  investigation  is 
reportedly  still  open,  there  are 
no  identified  suspects,  and 
Hentunen  said  he  did  not  even 
know  what  country  the  attackers 
might  be  from. 

There  was  some  specula¬ 
tion  that  the  scam  could  have 
involved  what  has  become 
known  as  an  “Evil  Maid”  attack, 
which  involves  an  attacker  load¬ 
ing  malware  onto  a  laptop  via 
a  USB  stick  that  sniffs  out  the 


encryption  software’s  password 
and  PIN  and  reports  them  back  to 
the  attacker. 

Hentunen  and  Tikkanen  even 
included  a  link  to  a  post  on  Evil 
Maid  attacks  in  their  blog  post, 
but  Hentunen  said  the  laptops  he 
investigated  didn’t  have  encryp¬ 
tion  enabled. 

Security  expert  Kevin  McAle- 
avey,  a  cofounder  of  the  KNOS 
Project,  says  he  doubts  the  attack 
involved  hotel  staff.  “Key  cards 
for  doors  are  easily  hacked.” 

“You’ll  note  in  the  story  that 
the  victim  tried  his  key  card  and 
it  didn’t  work,  which  means  that 
the  code  for  the  door  had  gotten 
changed.  So  I  doubt  the  hotel 
staff  was  involved  in  any  way,  I 
think  the  victim  was  being  sur¬ 
veyed  and  they  just  waited  for 
the  opportunity,  knowing  he’d  be 
away  long  enough.” 

Hentunen  said  if  Kyllonen 
hadn’t  retuned  to  his  room  and 
found  his  laptop  missing,  he  likely 
never  would  have  known  it  was 
compromised.  “At  minimum,  you 


would  need  to  have  a  certain 
amount  of  expertise  in  computer 
security  to  check  for  signs  of 
unknown  malware,"  he  said. 

So  the  advice  for  those  who 
spend  a  lot  of  time  in  hotel 
rooms  is  to  take  extra  precau¬ 
tions.  Hentunen  and  Tik¬ 
kanen  recommend  that  on  any 
computer  used  to  move  large 
amounts  of  money,  the  owner 
should  lock  the  keyboard  when¬ 
ever  he  or  she  is  not  with  it. 

“Put  it  in  a  safe  when  you’re 
not  around  it,  and  encrypt  the 
disk  to  prevent  offline  access. 
Don’t  surf  the  Web  with  it 
(use  another  laptop/device  for 
that,  they’re  relatively  cheap),” 
they  wrote. 

Security  guru  Bruce  Schneier, 
in  a  blog  post  on  the  Evil  Maid 
attack,  said  the  best  defenses 
include  “two-factor  authenti¬ 
cation:  a  token  you  don’t  leave 
in  your  hotel  room  for  the  maid 
to  find  and  use.  The  maid  could 
still  corrupt  the  machine,  but  it’s 
more  work  than  just  storing  the 
password  for  later  use.”  The  sec¬ 
ond  is  trusted  boot. 

If  there  is  any  indication  of 
tampering  on  a  laptop,  Hentunen 
said,  the  user  should,  “stop  doing 
anything  with  the  machine  and 
contact  the  police.  For  services 
that  have  been  accessed  from 
the  infected  machine,  change 
your  passwords  for  those  from 
some  other  machine. 

“If  you  can,  make  sure  the  net¬ 
work  connection  is  disabled  and 
leave  the  computer  running,”  he 
said.  "Another  option  is  to  hiber¬ 
nate  the  computer  to  keep  the 
memory  intact  to  make  forensics 
easier.  If  you  don’t  know  how  to 
do  either  of  these,  just  shut  down 
the  computer.” 

-Taylor  Armerding 
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Falling  Behind?  Fix  This  First 

Attackers  are,  as  usual,  way  ahead  of  those  on  defense.  To  catch  up  fast,  concentrate  on  these  5  areas. 

BY  GEORGE  V.  HULME 


NO  MATTER  HOW  VALIANT  THE 
efforts  of  CSOs,  or  how  much  businesses  say 
they  focus  on  securing  their  systems,  or  how 
much  money  is  spent  on  IT  defenses,  many  of 
the  same  IT  security  challenges  persist. 

Enterprises  often  can't  quickly  detect 
breaches-an  important  measure  of  security 
maturity.  According  to  the  2013  Verizon  Data 
Breach  Investigations  Report,  62  percent  of 
organizations  didn't  find  breaches  for  months 
or  more-and  partners,  customers  or  others 
identified  about  70  percent  of  those  breaches. 


There’s  clearly  much  room  for  improve¬ 
ment,  but  the  number,  duration  and  cost  of 
attacks  reveal  that  there  certainly  won’t  be 
any  quick  fixes.  However,  according  to  the 
experts  we’ve  spoken  to,  there  are  a  handful 
of  areas  that,  if  dramatically  improved,  would 
significantly  reduce  today’s  chasm  between 
defender  and  attacker. 

Close  the  skills  gap.  One  of  the 

challenges  cited  repeatedly  during  our 
interviews  is  the  difficulty  organizations 


have  with  finding  the  security  talent  they 
need.  Earlier  this  year,  (ISC)2  conducted  a 
study  that  found  that  56  percent  of  organiza¬ 
tions  believe  their  security  departments  are 
understaffed. 

The  challenge  here  is  that  technology  and 
attack  methods  are  moving  swiftly,  but  for¬ 
mal  education  and  corporate  training  isn’t 
keeping  pace  to  produce  workers  with  the 
security  skills  needed  to  handle  the  constant 
changes  in  mobility,  cloud  architecture,  virtu¬ 
alization  and  other  areas. 
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“We  are  always  seeing  conversations  about 
staffing  concerns,”  says  Daniel  Kennedy, 
research  director  for  information  security  and 
networking  at  451  Research. 

“And  it's  not  just  small  and  midsize  com¬ 
panies  that  are  having  trouble  finding  and 
retaining  talent,  it’s  a  problem  even  at  the 
top,”  Kennedy  says. 

2  Change  the  regulatory  com¬ 
pliance  mind-set.  It's  critical  that 
organizations  shift  their  focus  from  reg¬ 
ulatory  audits  and  compliance  to  security  risk 
management.  Many  enterprises  have  spent 
years-justifiably-working  intently  on  regula¬ 
tory  compliance.  However,  many  say  the  focus 
remained  too  narrowly  on  compliance,  leaving 
out  the  essential  security  of  data,  applica¬ 
tions  and  infrastructure. 

And  despite  this  focus  on  regulatory  com¬ 
pliance,  there’s  little  in  the  way  of  improved 
outcomes  to  show  for  it.  Our  11th  annual 
Global  Information  Security  Survey,  conducted 
by  PricewaterhouseCoopers  in  conjunction 
with  CSO  and  CIO  magazines,  found  that  the 
loss  or  damage  of  internal  records  more  than 
doubled  in  one  year. 

“This  focus  on  regulatory  compliance, 
rather  than  security,  has  been  underway 
for  many  years,”  says  Candy  Alexander,  for¬ 
mer  CISO  at  Long  Term  Care  Partners  and  a 
current  a  member  of  the  board  of  direc¬ 
tors  at  the  Information  Systems  Security 
Association. 

“When  the  focus  is  on  compliance,  you  are 
not  talking  about  people  who  are  proactive 
about  going  out  and  making  themselves  more 
secure.  They’re  just  focused  on  baseline  con¬ 
trols,”  says  Kennedy.  “Compliance  is  generally 
a  lagging  indicator  [of  risk],”  he  says. 

The  result  of  that  baseline-control 
approach  is  check-the-box  security,  agree 
Kennedy  and  Alexander. 

“It’s  not  pie-in-the  sky  to  say  that  compli¬ 
ance  should  be  an  output  of  a  security  pro¬ 
gram,  not  a  primary  input,"  says  Kennedy. 

For  more  on  the  problems  with  this  kind 
of  cursory  security,  see  our  feature,  “Think¬ 
ing  Outside  the  IT  Audit  (Check) Box"  (www. 
csoonline.com/article/741757) . 


3  Improve  incident  response. 

The  security  industry  is  disproportion¬ 
ately  invested  in  preventative  security 
defenses,  with  precious  little  spent  on  tools 
that  grant  the  ability  to  detect  and  respond  to 
breaches  when  they  occur-and  they  always 
do  occur. 

“We  need  a  fundamental  shift  from  so 
much  focus  on  preventative  controls  to  detec¬ 
tion  and  response,"  says  Jay  Leek,  SVP  and 
CISO  at  the  Blackstone  Group.  Leek  says,  in 
a  recent  evaluation  of  the  industry,  that  the 
vast  majority  of  investments,  70  to  80  per¬ 
cent,  are  made  to  block  attacks.  “That  should 
shift  down  to  50  percent,”  he  says,  with  the 
other  half  going  to  investments  that  provide 
visibility  into  the  activities  of  systems  and 
data,  as  well  as  to  tools  that  help  organiza¬ 
tions  launch  a  swift  and  intelligent  response 
when  needed. 

Why  is  the  industry  so  heavily  geared 
toward  blocking,  rather  than  responding  to 
the  inevitable?  Most  agree  that  it’s  partly 
human  nature  (believing  one  can  prevent 
danger),  partly  the  result  the  vendor  commu¬ 
nity  selling  the  message  that  attacks  could  be 
blocked,  and  partly  because  blocking  attacks 
is  easier  to  sell  to  business  executives.  Also, 
most  regulatory  compliance  mandates  call  for 
a  heavy  focus  on  preventive  controls,  rather 
than  on  detection  and  response. 

“The  ability  to  respond  is  absolutely  neces¬ 
sary,  but  it’s  just  not  as  easy  to  sell  across  the 
board,”  says  Kennedy. 

Talk  to  the  business,  not  at 
the  business.  This  communica¬ 
tion  chasm  still  persists  at  too  many 
organizations.  Many  security  professionals 
still  have  a  hard  time  elevating  the  IT  security 
discussion  to  a  level  that  is  relevant  to  busi¬ 
ness  executives.  That’s  largely  because  they 
continue  to  view  themselves  as  security  prac¬ 
titioners,  rather  than  as  security  professionals 
participating  in  the  industry  their  organization 
operates,  says  Eric  Cowperthwaite,  vice  presi¬ 
dent  of  advanced  security  and  strategy  at 
Core  Security  and  former  CISO  at  Providence 
Health  and  Services. 

Alexander  agrees.  “Communication  is  still 


a  very  common  problem.  There  is  a  challenge 
for  many  to  explain  complex  and  technical 
risks  in  a  way  that  makes  sense  to  a  business 
executive.  But  that’s  what  we  need  to  do.  We 
need  to  talk  in  their  terms  in  order  to  be  per¬ 
suasive  and  reach  them,"  she  says. 

To  make  educated  IT  risk  decisions,  execu¬ 
tives  need  security  pros  that  understand  both 
the  technology  and  the  nature  of  the  business 
and  industry  they’re  in. 

“Executives  want  you  to  gear  yourself 
as  being  responsible  for  the  business  just 
as  much  as  they  are.  And  they  want  you  to 
sit  down  and  in  a  collaborative  way  figure 
out  how  to  get  better  security  without  inter¬ 
fering  with  business  objectives,”  Cowperth¬ 
waite  says. 

5  Shift  to  data-based  decision 
making.  The  final  fix  is  moving  away 
from  making  gut  decisions,  working  off 
of  checklists  and  blindly  following  best  prac¬ 
tices  and  moving  toward  more  data-driven 
decisions.  “What  we  are  doing  is  playing 
whack-a-mole.  We  find  the  things  that  we  are 
bad  at  or  cause  breaches,  and  we  fix  it,"  says 
Jay  Jacobs,  vice  president  at  the  Society  of 
Information  Risk  Analysts. 

“The  problem  is  that  there’s  always  some¬ 
thing  else  that  comes  next.  And  the  adver¬ 
sary  is  intelligent  and  can  adapt,  so  they  just 
move  on  [to  the  next  vulnerability],”  Jacobs 
says.  “I  think  what  really  would  be  a  dramatic 
improvement  is  if  we  start  using  the  home 
field  advantage  that  we  have  and  start  to 
collect  the  data  in  our  environment  and  make 
sense  of  it,”  he  says. 

That  means  better  log  analysis,  more 
spending  on  big  data  security  analytics,  and 
better  anomaly  detection.  This  can  give 
researchers  more  speedy  insight  into  things 
that  need  to  be  investigated. 

“I  think  adopting  that  technology  would  be 
a  dramatic  improvement.  Unfortunately  it’s 
a  pretty  steep  hill  to  climb  for  most  organiza¬ 
tions,"  Jacobs  says. 


■  George  V.  Hulme  is  a  freelance  security 
and  technology  writer  based  in  Minnesota. 
Follow  him  on  Twitter:  @georgevhulme. 
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Predicting  Who  Will  Get  Breached 
Next  by  Asking  Probing  Questions 


OVER  THE  PAST  FEW 
weeks,  I’ve  argued  with  friends 
in  the  information  security  echo 
chamber  about  whether  it  was 
prudent  of  me  to  make  public 
comments  about  the  security 
of  the  beleaguered  Healthcare, 
gov  website  when  I  had  not  per¬ 
formed  a  formal  assessment  of 
it.  My  answer-that  I’d  seen  all 
I  needed  to  reach  my  conclu¬ 
sions— failed  to  satisfy  some. 

Some  of  this  disagreement 
stemmed  from  the  fact  that  I 


was  speaking  of  strong  indica¬ 
tors,  not  evidence,  of  trouble. 
Did  I  go  too  far  in  my  conclu¬ 
sions?  Time  will  tell.  Could  I 
have  been  less  abrasive  about 
how  I  stated  my  conclusions? 
Always. 

But  the  experience  raised  a 
much  larger  question:  I  was  as¬ 
suming  that  incident  assess¬ 
ment  was  more  universally 
understood  than  it  is.  My  state¬ 
ments  therefore  seemed  black¬ 
box  and  arbitrary,  and  that’s 


never  my  intent. 

Lest  I  re-kindle  the  debate, 
let  me  move  completely  away 
from  Healthcare.gov  and  into 
general  incident  response  and 
how  I  walk  into  a  place  where 
I’ve  never  been  and  help  figure 
out  a)  if  there  is  a  problem;  b) 
if  there  is,  how  big  it  is;  and  c) 
where  do  we  start  to  fix  the 
most  broken  stuff  the  fastest. 

In  the  past,  when  an  organi¬ 
zation  asked  me  to  help  them 
understand  a  compromise,  I 


started  by  asking  questions 
designed  to  disqualify  avenues 
of  investigation.  I  often  start 
with  two  big  ones.  Of  course, 
these  are  not  the  only  ques¬ 
tions  I  ask,  but  they  are  among 
the  first  ones,  because  the 
wrong  response  is  so  strongly 
correlated  with  other  horrible 
practices  and  habits  of  security 
guttersnipes: 

■  Can  we  take  a  look  at  your 
network  logs,  flow  records  or 
analysis,  and  traffic  capture 
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for  the  last  few  days? 

■  Can  I  see  your  latest  network 
scan  results? 

The  answers  to  these  ques¬ 
tions  are  often  telling.  In  many 
cases,  I’m  far  less  interested  in 
what  the  logs  and  captures  say 
than  the  fact  that  they  exist 
in  a  form  that  is  accessible 
by  someone  in  a  reasonable 
amount  of  time,  and  that  they 
can  in  fact  be  accessed  and 
presented  in  a  form  that  allows 
them  to  be  analyzed. 

You  would  be  shocked  at  just 


Many  incident  responders 
and  penetration  testers  ask 
similar  big-picture  disqualifica¬ 
tion  questions.  Dave  Kennedy, 
CEO  of  TrustedSec,  goes  one 
level  deeper  into  the  logs  on  his 
first  question:  “Have  you  got 
logs  of  DNS  requests  from  the 
past  week  or  two?” 

That’s  a  question  I  usually 
ask  too,  once  we’ve  got  other 
evidence  that  something  is  up. 
Once  we  know  there’s  some¬ 
thing  on  the  network,  the  DNS 
logs  are  a  great  first  place  to 


Here’s  another  example:  On  a 
recent  incident,  we  asked  about 
a  certain  flow-analysis  product. 
The  first  question  was  highly 
disqualifying:  “You’re  not  using 
[product]  now,  are  you?” 

“Oh,  yes  I  am,”  came  the 
response,  which  was  in  itself 
highly  interesting. 

“Oh,”  we  said.  “So  how  often 
are  you  using  it?  Weekly? 
Monthly?” 

“Oh,  every  day,”  came  the 
reply.  “We  love  it.” 

“Oh,  I  see,  that’s  great,” 


But  I  had  a  very  strong  indi¬ 
cator.  Later  we  confirmed  it,  but 
the  indicator  itself  was  strong 
enough  for  me  to  base  certain 
statements  and  actions  on  it. 

This  stuff  is  not  rocket  sci¬ 
ence.  By  asking  high-level, 
disqualifying  questions,  one 
can  easily  make  some  broad 
assessments.  Then  it’s  simply  a 
matter  of  drilling  down  into  the 
indicated  areas  and  finding  the 
problems. 

Kennedy  offers  a  few  more 
questions,  like,  “Are  you  test- 


I  start  by  asking  questions  designed  to 
disqualify  avenues  of  investigation,  i  often  start 

with  two  big  ones. 


how  many  organizations  fail 
completely  when  faced  with 
this  request. 

The  “latest  scan  results” 
question  hides  another,  all¬ 
telling  question,  “Do  you  know, 
within  a  25  percent  margin  of 
guesstimation,  how  many  end¬ 
points  are  connected  to  your 
network?” 

If  the  company  fails  these 
two  basic  questions,  I  am  cer¬ 
tain  to  find  a  major  mess.  Those 
things  didn’t  cause  the  mess, 
but  their  presence  indicates  an 
inattention  to  security  detail, 
lack  of  procedural  integrity,  fail¬ 
ure  to  backstop  and  a  kind  of 
misdirected  spending  that  his¬ 
torically  are  often  present  to¬ 
gether  in  an  organization  that 
has  been  compromised. 

Do  I  know  it,  factually? 

Of  course  not.  But  I  know  it 
enough  to  bet  the  client  a  case 
of  Dublin  Dr.  Pepper  that  I’ll 
find  it  out  right  quick. 


look  for  where  it’s  calling  to 
(and,  later,  what  it  is  and  who 
put  it  there). 

There  are  a  whole  bunch  of 
other  questions  you  can  ask 
once  you  start  digging,  and 
most  of  them  are  designed  to 
disqualify  a  line  of  question¬ 
ing  to  avoid  getting  into  it.  Eric 
Olson,  VP  at  Cyveillance,  tells 
the  story  of  how  his  firm  asks 
a  single  question  to  deter¬ 
mine  whether  an  email  was  a 
possible  banking  phish:  “Does 
the  email  contain  the  FDIC 
symbol?” 

Now,  not  all  email  with 
the  FDIC  symbol  is  a  bank¬ 
ing  phish,  but  pretty  much  no 
banking  phish  doesn’t  have  an 
FDIC  symbol.  With  one  ques¬ 
tion,  then,  Cyveillance  is  able 
to  disqualify  97  percent  of  the 
email  it  sifts  through  on  a  daily 
basis,  allowing  it  to  concentrate 
on  the  3  percent  that  may  be 
bank  phishing. 


we  said.  “So  when  you  used 
it  today,  did  everything  look 
okay?” 

“Yeah,  you  know,  things 
looked  pretty  normal.” 

I  bet  they  did.  Earlier  that 
morning,  I  had  personally  seen 
the  box  in  question  sitting,  un¬ 
plugged,  on  a  cardboard  box  in 
the  data  center. 

An  engineer  told  me  it  had 
been  unplugged  for  more  than 
a  month. 

In  this  case,  it  was  clear  I 
didn’t  need  to  do  any  further 
digging  to  understand  that  no 
analysis  had  been  done.  It  was 
also  clear  that,  if  the  person 
would  cheerfully  lie  about  that, 
he  would  cheerfully  lie  about 
other  things. 

It  was  therefore  no  big  intui¬ 
tive  leap  for  me  to  conclude  that 
previous  things  the  guy  had 
signed  off  on  had  likely  also  not 
been  done.  Did  I  know  this  factu¬ 
ally  to  be  true?  Not  yet. 


ing  for  security  threats  and 
doing  things  like  external  and 
internal  penetration  tests  and 
social-engineering  efforts  to 
test  your  controls  and  your  in¬ 
cident  response?” and, “Have 
you  ever  done  a  source  code 
analysis  or  dynamic  testing  of 
applications  to  determine  what 
risks  they  pose?” 

A  number  of  us  are  work¬ 
ing  together  to  make  a  list  of 
the  top  10  questions  that  can 
be  asked  in  any  organization. 

We  feel  that  this  is  a  great 
way  to  share  knowledge  and 
experience  with  the  community. 
Like  that  idea?  Drop  me  a  line, 
using  the  contact  form  at 
www.nickselby.com. 

-Nick  Selby  is  CEO  and 
co-founder  of  StreetCred 
Software.  A  veteran  informa¬ 
tion  security  consultant,  he 
has  provided  incident  response 
services  for  Fortune  500 
companies. 
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How  to  Avoid  7  Common  Compliance  Traps 


REGULATIONS  AIMED  AT  PROTECTING 
the  security  and  privacy  of  organizations  and 
individuals  are  well-meaning.  But  sometimes 
these  standards,  or  how  they're  interpreted, 
can  be  more  than  a  nuisance-they  can  actu¬ 
ally  contribute  to  weaker  security. 

Here  are  few  examples,  from  security  exec¬ 
utives  and  analysts,  of  internal  and  external 
compliance  standards  that  are  potentially 
problematic,  with  tips  on  how  they  can  be 
addressed  so  that  they  don’t  cause  problems 
while  they’re  trying  to  provide  solutions. 

Encryption  and  HIPAA 

Many  organizations  and  security  executives 
are  under  the  mistaken  impression  that  com¬ 
pliance  with  HIPAA  requires  encryption,  and 
this  can  actually  lead  to  security  problems, 
says  Paul  Proctor,  an  analyst  at  Gartner. 

In  fact,  HIPAA  requires  the  appropriate  use 
of  encryption,  which  is  quite  a  different  stan¬ 
dard  and  can  mean  a  difference  of  millions  of 
dollars,  Proctor  says.  Aside  from  causing  orga¬ 
nizations  to  spend  too  much  time  and  energy 
on  encryption,  this  misunderstanding  can 
negatively  affect  certain  business  processes, 
hurt  application  performance  and  even  cause 
users  to  bypass  certain  controls  because 
they’re  annoyed  at  security,  he  says. 

Decisions  such  as  over-encrypting  data 
“tend  to  have  a  ripple  effect,  of  which  lower¬ 
ing  security  is  only  one,’’  Proctor  says.  “The 
answer  is  to  develop  a  risk-management 
process  that  allows  thoughtful  consideration 
of  what  you  should  do"  to  be  compliant  with 
regulations. 

"Organizations  can  make  poor  decisions  if 
they  don’t  have  a  formal  risk  management 
process-and  most  don’t." 

Password-Protected  PDFs 

Sometimes  the  regulatory  environment  has 
companies  spending  money  on  tools  that 
aren’t  effective  and  make  life  more  difficult 
for  customers.  When  Tony  Hildesheim,  now 
senior  vice  president  of  IT  at  Redwood  Credit 


Union,  was  working  at  another  organiza¬ 
tion,  internal  regulations  mandated  that 
no  account  information  be  printed  on  any 
document. 

“This  also  required  that  if  you  emailed  a 
customer  information,  it  had  to  be  in  a  pass¬ 
word-protected  PDF,”  Hildesheim  says. 

This  caused  multiple  problems.  “Many 
financial  institutions  truncate  the  account 
number  so  that  the  whole  number  is  not 
printed  on  any  material,”  Hildesheim  says. 
“Without  an  account  number  present  on  a 
piece  of  paper,  it  is  hard  to  help  the  customer, 
many  of  whom  no  longer  can  tell  you  their 
account  number.” 

The  other  issue  was  that  the  company’s 
email  scanning  solution  was  having  a  difficult 
time  scanning  the  password-protected  PDFs. 
“Therefore,  the  security  measure  we  put  in 
place  to  ensure  no  data  [such  as  credit  card 
numbers]  is  emailed  out  of  the  company  is 
rendered  useless  because  the  system  cannot 
break  into  a  PDF,”  Hildesheim  says.  "We  had  to 
change  the  procedure,  train  the  staff  and  fight 
with  the  audit  department." 

Regulations  “are  often  written  in  response 


to  a  very  specific  or  perceived  risk  that  may  no 
longer  exist,  has  other  mitigations  or  whose 
likelihood  is  so  remote  that  it  is  a  non-threat,” 
Hildesheim  says. 

Overzealous  Virus  Scanning 

Several  years  ago,  Proctor  and  other  Gartner 
analysts  were  visiting  a  large  credit  union  to 
discuss  security  strategy.  The  firm  had  just 
experienced  a  virus-based  attack  when  a  user 
connected  an  infected  PC  to  the  corporate 
network  and  inadvertently  spread  the  virus. 

“So  they  created  a  blunt  rule  that  said 
every  machine  the  comes  into  the  organi¬ 
zation  from  outside  had  to  have  a  full  virus 
scan,”  Proctor  says.  “This  was  done  at  the 
security  desk,  and  it  took  two  hours  for  each 
machine.  When  we  showed  up  for  our  meet¬ 
ing,  we  couldn’t  get  in"  because  of  the  delays. 
“The  meeting  was  cancelled  because  of  this 
silly  decision.  And  who  knows  how  many 
pieces  of  the  business  were  impacted  because 
of  this  rule." 

It  likely  had  a  negative  impact  on  the  orga¬ 
nization’s  security  posture  because  it  caused 
increased  resentment  toward  security,  Proctor 
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says.  The  solution,  again,  is  to  carefully  think 
through  how  compliance  standards  should  be 
implemented  and  how  they  could  affect  all 
aspects  of  the  business. 

Vulnerability  Scoring  and  PCI 

The  PCI  standard  requirement  for  a  clean 
scan  is  a  huge  burden  on  businesses,  says 
Adrian  Sanabria,  senior  security  analyst  at  451 
Research.  "It  steals  focus  away  from  more  ef¬ 
fective  risk-reduction  work  and  encourages  a 
dangerously  false  sense  of  security,"  he  says. 
Earlier  versions  of  the  PCI  security  standards 
“required  businesses  to  show  that  all  vulner¬ 
abilities  rated  a  ‘CVSS  score  of  4.0  or  higher’ 
be  resolved,”  Sanabria  says.  “This  is  a  hugely 
labor-intensive  process  that  yields  very  little 
return  on  security.” 

The  key  issue  here  is  the  ineffective  nature 
of  vulnerability  scoring,  Sanabria  says.  “The 
automatic  score  given  to  a  vulnerability- 
provided  it  isn’t  a  false  positive-is  often 
highly  inaccurate,"  he  says.  “It  is  simply  a  best 
guess,  without  some  extra  work  to  factor 
in  each  organization's  unique  context.  The 
vast  majority  of  effort  often  goes  into  fixing 
vulnerabilities  that  aren't  a  threat  at  all,  and 
potentially  ignoring  ones  that  could  be  criti¬ 
cal,  but  were  scored  under  PCI’s  threshold.” 

Many  times,  larger  organizations  have  a 
person  entirely  dedicated  to  coordinating 
tasks  and  obtaining  clean  scans,  Sanabria 
says.  “That's  one  person’s  time  dedicated  to 
a  tiny  fraction  of  PCI,”  he  says.  “Newer  ver¬ 
sions  of  PCI  have  tried  to  correct  this  issue  by 
implementing  a  new  requirement  in  which 
each  organization  applies  custom  rankings 
to  each  vulnerability  that  affects  them.  Now 
these  organizations  will  have  to  dedicate  a 
second  person  to  the  task  of  vulnerability 
management." 

Encrypted  Data  Backups 

One  compliance  effort  that  makes  a  difficult 
situation  even  tougher  is  the  requirement  for 
encrypted  backups. 

“This  sounds  like  a  reasonable  precaution 
if  you  are  storing  your  [backup]  tapes  in  a 
public  store,”  Hildesheim  says.  “But  consider 
that  management  and  likelihood  that  seven 


years  from  today  the  encryption  is  able  to 
be  decrypted.  Never  mind  that  the  password 
or  key  would  have  to  be  stored  somewhere 
securely  and  cataloged.  The  encryption  algo¬ 
rithm  or  software  would  have  to  still  be  in  a 
form  that  could  decrypt  the  data.” 

This  gets  even  more  complicated  when 
regulators  require  that  backup  media  be 
encrypted,  even  if  it  is  stored  in  a  controlled 
storage  vault  to  which  only  your  company  has 
access,  Hildesheim  says. 

“One  of  the  answers  that  many  of  the  regu¬ 
lators  are  wanting  to  see  in  place  is  encrypted 
electronic  backups,"  he  says.  “This  again 
sounds  good,  until  you  realize  that  most  have 
a  local  store  and  offsite  store,  which  is  in  a 
shared  environment,  or  cloud.” 

Multiple  international 
Regulations 

For  companies  that  offer  their  services  pri¬ 
marily  through  the  cloud,  like  learning  and 
talent  management  solutions  provider  Saba, 
the  need  to  comply  with  a  host  of  federal  and 
industry  regulations  can  create  complexities 
that  may  hinder  security. 

Saba  complies  with  standards  such  as 
IS027001,  privacy  requirements  such  as  EU 
Directive  95/46/EC,  Life  Science  Validation 
Environments,  the  Federal  Information  Secu¬ 
rity  Management  Act,  and  so  on,  says  Randy 
Barr,  CISO. 

Some  of  these  regulations  are  stricter  than 
others  and  create  challenges  that  are  impor¬ 
tant  to  address  to  provide  adequate  security, 
Barr  says. 

For  example,  some  require  employees  to 
work  in  the  U.S.,  or  have  U.S.  citizenship.  “It’s 
difficult  to  keep  track  of  individuals  who  work 
abroad,  and  having  to  do  so  for  some  of  the 
groups  within  our  company  can  be  challeng¬ 
ing,”  Barr  says.  “If  Saba  wasn’t  prepared  for 
such  regulations,  our  ability  to  provide  security 
across  the  board  would  be  in  jeopardy.  It’s 
important  that  all  departments  take  the  time 
to  understand  the  security  programs  that 
we’ve  communicated  rather  than  just  review¬ 
ing  compliance  requirements  and  saying  it 
must  be  done." 

Saba  is  able  to  meet  all  of  its  customers’ 


security  requirements,  Barr  says,  but  not  with¬ 
out  a  huge  amount  of  extra  effort  because 
of  the  complex  compliance  requirements.  It’s 
working  with  the  Cloud  Security  Alliance  to 
find  more  effective  ways  to  comply  with  stan¬ 
dards  without  draining  resources.  In  addition, 
it  has  formed  a  security  council  to  provide  a 
consensus-based  forum  to  support  its  overall 
security  program. 

“Discussions  around  meeting  the  require¬ 
ments  of  [regulations]  are  discussed  in  these 
quarterly  meetings,”  Barr  says. 

ISO  Regulations  and  Roadblocks 

The  ISO/IEC 15408  regulations  requiring  Com¬ 
mon  Criteria  testing  can  hinder  security,  says 
Robert  Schadey,  CISO  and  director  of  infra¬ 
structure  services  at  1901  Group,  an  IT  services 
management  provider. 

“The  Common  Criteria  guidelines  and 
specifications  developed  for  evaluating  the 
security  within  a  product  ensure  that  security 
standards  are  agreed  upon  and  [testing  is] 
in  place,”  Schadey  says.  For  the  most  part, 
Common  Criteria  validates  the  claims  of  ven¬ 
dors’  security  features  with  an  assessment  of 
potential  threats,  he  says. 

“However,  the  overall  length  of  time  for 
testing  and  costs  has  caused  a  roadblock 
for  most  of  the  industry,”  Schadey  says.  “Our 
focus  has  shifted  to  providing  a  services- 
based  approach  for  our  federal  customers. 
Services  are  delivered  via  dynamic  hosting 
environments  whereby  the  infrastructure  layer 
may  not  be  under  a  customer’s  control.” 

This  can  make  it  difficult  to  ensure  that  an 
organization  is  in  compliance  with  the  spirit 
of  the  Common  Criteria  security  measures 
without  analyzing  each  vendor’s  cloud  imple¬ 
mentation  against  security  functional  require¬ 
ments  and  identifying  the  security  gaps  to 
determine  if  the  cloud  provider  is  acceptable, 
Schadey  says. 

“The  loss  of  control  at  the  infrastructure 
layer  can  cause  security  problems,”  he  says. 
“The  other  issue  that  hinders  security  is  the 
time  frame  it  takes  to  test  the  products  and 
have  them  available  for  selection  off  the 
Common  Criteria  Products  List." 

-Bob  Violino 
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It’s  Time  to  Use  the  Carrot  to 
Build  Awareness,  Not  the  Stick 

Instead  of  just  forcing  employees  to  attend  training  sessions,  use  gamification  techniques  to 
get  them  participating  of  their  own  accord  by  ira  winkler  and  samantha  manke 


ONE  OF  THE  REASONS  MANY  SECU- 
rity  awareness  programs  fail  is  that  they 
rely  on  a  “push”  mentality,  where  they  force 
employees  to  take  awareness  training  and 
expect-or,  more  likely,  hope— that  employees 
will  seek  out  additional  training,  because  it 
is  the  right  thing  to  do.  While  there  are  many 


successful  programs  that  operate  under  this 
philosophy,  they  are  still  relatively  rare. 

Recently,  we  began  experimenting  with 
helping  our  clients  implement  gamifica¬ 
tion  techniques,  a  strategy  that  switches  the 
whole  awareness  paradigm.  Instead  of  em¬ 
ployees  being  forced  to  take  training  or  risk 


potential  punishment,  they  do  the  right  thing 
on  their  own  and  seek  out  additional  training, 
because  they  want  to. 

Too  many  people  get  confused  when  they 
hear  the  term  "gamification”  and  think  it 
means  that  you  create  a  game  to  do  aware¬ 
ness  training,  and  there  are  many  compa- 
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nies  who  are  doing  that.  These  games  can 
be  useful,  but  much  like  a  poster,  newsletter 
or  phishing  test,  they  are  just  a  single  com¬ 
ponent  in  what  should  be  a  well-rounded 
program. 

Gamification  is  actually  a  scientific  term 
that  roughly  means  applying  game  principles 
to  a  non-game  situation.  These  principles 
are,  essentially:  1.  establish  goals,  2.  set  rules, 
3.  give  feedback  and  4.  make  participation 
voluntary.  Every  game  has  to  incorporate 
those  principles.  The  goal  is  what  you  want  to 
happen  when  people  participate  in  the  game. 
Rules  are  actually  limitations  that  people 
adhere  to  that  make  the  game  a  challenge. 
Feedback  means  that  participants  are  made 
aware  of  how  they  are  doing  compared  to 
their  goal.  Voluntary  participation  means  that 
nobody  is  forced  to  play  the  game. 

Using  golf  as  an  example,  which  we  will 
highlight  is  in  no  way  a  computer-based 
game,  the  goal  is  to  go  18  holes  with  the  few¬ 
est  number  of  strokes.  The  rules  provide  limi¬ 
tations  as  to  how  the  player  can  get  the  ball 
in  the  hole.  After  all,  the  easiest  way  to  get 
the  ball  in  the  hole  would  be  to  carry  it  and 
place  it  there,  but  people  want  the  challenge 
of  accomplishing  the  goal  through  skill.  The 
running  tally  of  strokes  is  the  feedback  mech¬ 
anism.  And,  short  of  peer  or  work  pressure, 
almost  everyone  plays  golf  on  a  voluntary 
basis.  All  games  generally  exhibit  the  same 
principles.  This  includes  all  sports,  card  games, 
playground  games,  chess,  checkers  and  so  on. 
Games  don’t  necessarily  involve  computers. 

As  the  term  is  confusing,  we  began  to  call 
our  process  “incentivized  awareness  pro¬ 
grams."  That  better  represents  what  we  are 
talking  about,  as  a  comprehensive  aware¬ 
ness  program  does  not  limit  itself  to  a  single 
tool.  With  incentivized  awareness,  you  create 
a  reward  structure  that  gives  people  incen¬ 
tive  to  perform  the  desired  behaviors,  which 
could  include  seeking  out  additional  training. 
The  incentives  should  make  demonstrating  or 
learning  about  awareness  behaviors  more  fun. 

Depending  on  the  program  and  type  of 
job,  people  earn  points  by  finding  bugs  in 
software,  taking  a  training  course,  reporting  a 
phishing  message,  reading  a  security-related 


Rewarding  people  for 
doing  the  right  thing 
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while  creating  a  better 
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as  a  whole. 


publication,  stopping  a  tailgater  attempting 
to  enter  the  facilities,  and  so  on.  Different  ac¬ 
tivities  are  assigned  various  point  values,  and 
participants  accumulate  points. 

Collect  enough  points  and  you  can  cash 
them  in  for  rewards.  Some  organizations 
recognize  people  with  color-coded  belts,  like 
Six  Sigma  training  does.  Some  organizations 
provide  recognition  and  certificates.  Oth¬ 
ers  provide  cash  awards  when  certain  point 
thresholds  are  met.  Whatever  the  reward 
system  is,  it  should  be  something  that  is  ap¬ 
propriate  to  the  organization’s  culture.  De¬ 
pending  on  the  size  of  the  organization,  you 
might  want  to  have  different  reward  struc¬ 
tures  for  different  subcultures.  Roles,  divisions 
or  geography  might  define  these  subcultures. 
For  example,  Japanese  workers  tend  to  be 
much  more  impressed  by  being  personally  rec¬ 
ognized  by  a  senior  manager,  and  the  rewards 
should  reflect  this  preference. 

Clearly,  some  point  totals  would  earn  only 


the  professional  equivalent  of  the  partici¬ 
pation  trophies  that  many  children’s  sports 
leagues  now  give  out,  which  basically  reward 
people  for  just  showing  up.  There  is  actually 
nothing  wrong  with  that.  Security  depart¬ 
ments  tend  to  get  a  bad  reputation  for  pun¬ 
ishing  people  for  bad  behavior.  Rewarding 
people  for  doing  the  right  thing  gets  them  to 
be  more  security  conscious  while  creating  a 
better  reputation  for  the  security  department 
as  a  whole. 

There  of  course  must  be  an  appropriate 
balance  between  points  awarded  for  meet¬ 
ing  base  expectations  and  points  awarded  for 
going  beyond  those  limited  expectations.  Give 
a  low-value  reward  for  meeting  base  expecta¬ 
tions.  A  second  level  should  be  created  that  is 
within  reasonable  reach  for  most  employees 
by  demonstrating  some  additional,  relatively 
simple  behaviors.  Further  levels  and  rewards 
should  be  increasingly  difficult  to  achieve,  but 
the  rewards  should  be  on  par  with  the  level  of 
effort  required. 

Some  people  might  say  that  many  of  their 
employees  will  not  participate  in  this  type  of 
system,  and  that  is  reasonable.  Flowever, 
they  might  be  surprised  at  the  number  of 
people  who  are  interested  in  some  type  of 
reward  system.  Nevertheless,  even  if  the  pro¬ 
gram  is  not  accepted  by  the  entire  employee 
base,  the  measure  of  success  is  not  in  partici¬ 
pation,  but  in  the  metrics  that  matter  to  the 
organization.  Fundamentally,  any  security  sys¬ 
tem  is  measured  in  the  amount  of  loss  miti¬ 
gated  compared  to  the  cost  of  implementing 
the  program. 

Creating  an  incentivized  awareness  pro¬ 
gram  does  take  some  effort,  but  the  com¬ 
panies  that  have  successfully  implemented 
these  programs  are  reaping  the  benefits  by  re¬ 
ducing  losses  and  having  a  better  relationship 
between  the  security  team  and  the  user  base. 
Gamification  has  proven  itself  to  be  an  effec¬ 
tive  measure  to  further  a  wide  variety  of  busi¬ 
ness  interests.  It  is  time  to  start  implementing 
it  to  further  security  awareness  and  educate 
your  employees  to  the  next  level. 


■  Ira  Winkler  and  Samantha  Manke  can  be 
contacted  at  www.securementem.com. 
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High  Demand  for  CISOs  Is  Good  News  for 
Individual  Careers,  Bad  News  for  the  Industry 


THE  GOOD  NEWS  FOR  QUALIFIED  INFORMATION  SECU- 
rity  professionals  at  the  C-suite  level  is  that  it  would  be  pretty 
tough  to  stay  unemployed  for  very  long. 

Earlier  this  year,  the  Bureau  of  Labor  Statistics  (BLS)  reported 
that  unemployment  among  high-ranking  security  pros  had  “spiked" 
to  3  percent  in  the  fourth  quarter  of  2012,  although  the  rate  for  the 
entire  year  was  all  of  0.9  percent.  In  general,  4  percent  is  considered 
full  employment. 

While  the  BLS  says  those  numbers  aren’t  entirely  reliable,  since 
the  sample  size  is  too  small,  they’re  still  dramatically  lower  than 
the  national  unemployment  rate  of  7.3  percent.  Infosec  manage¬ 
ment  is  a  seller’s  market. 

What  is  good  for  the  individual  is  not  good  for  industry,  however. 
It’s  tough  for  enterprises  to  hire  qualified  IT  security  professionals 
right  now.  Stroz  Friedberg,  an  intelligence 
and  risk  management  consultancy,  pre¬ 
dicted  recently  that  the  supply  of  CISOs  will 
not  meet  the  demand  in  2014. 

Ed  Stroz,  cofounder  and  executive 
chairman  of  the  firm,  says  that  prediction 
doesn’t  come  from  a  statistical  survey,  but 
from  14  years  of  consulting  for  “a  diverse 
set  of  clients.  The  need  for  a  CISO  is  often 
on  the  agenda.” 

The  shortage  extends  below  the  C-suite 
as  well.  Marc  Noble,  director  of  government 
affairs  for  (ISC)2,  chairman  of  the  Cyberse¬ 
curity  Credentials  Collaborative  and  former 
CISO  at  the  Federal  Communications  Com¬ 
mission,  told  BanklnfoSecurity  earlier  this  year  that  in  the  past,  his 
program  had  been  hampered  for  almost  a  year,  “due  to  the  inability 
to  find  quality  candidates  to  fill  information  security  positions.” 

Noble  says  he  believes  the  shortage  is  due  in  part  to  rapid 
changes  in  the  threat  landscape.  “It  takes  time  to  identify  and  un¬ 
derstand  new  technologies,  the  vulnerabilities  they  present,  and 
how  best  to  adapt  security  controls  to  meet  evolving  threats.  Im¬ 
plementing  those  controls  adds  an  additional  layer  of  complexity.” 

To  meet  that  demand,  companies  must  find  people  who  are 
“highly  adaptable  in  learning  and  applying  new  skills,  technolo¬ 
gies  and  procedures  in  order  to  manage  a  dynamic  range  of  risks.  As 
it  stands,  IT  organizations  simply  can’t  keep  up.  The  attackers  are 
always  10  steps  ahead  of  us,”  Noble  says. 

Besides  being  able  to  handle  that  dynamic  range  of  risk,  Stroz 
says  that  good  CISOs  have  to  be  much  more  than  technicians.  They 


need  to  be  experts  in  the  mission  and  operation  of  a  business  in 
general,  including  marketing,  finance  and  the  legal  environment. 
Most  organizations,  he  says,  “want  somebody  who  is  effective 
in  the  role  but  also  understands  the  company  and  industry.  And 
often  they  come  up  with  description  for  a  person  that  is  very  rare  or 
doesn’t  exist.” 

That  may  be  because,  as  David  Shaw,  CISO  at  Purdue  University, 
says,  “the  CISO  role  is  facing  a  bit  of  an  identity  crisis,  with  no  dear 
definition  for  the  role  or  where  it  should  be  placed  in  the  organiza¬ 
tion.  We  constantly  debate  this  in  the  field.  Should  it  report  to  the 
CIO,  the  board,  the  CFO? 

“We  don’t  really  have  a  standard  model  out  there  for  what  it 
takes  to  get  the  CISO  job,  let  alone  be  successful,”  he  says. 

Even  with  all  that  complexity,  given  the  demand,  you’d  think 

the  shortage  would  resolve  itself  as  people 
flock  to  the  field.  And  that’s  happening, 
to  a  certain  extent,  but  it  creates  another 
problem:  Some  people  are  marketing  them¬ 
selves  as  qualified  for  the  role  without  the 
requisite  background. 

Eugene  Spafford,  executive  director 
of  the  Purdue  Center  for  Education  and 
Research  in  Information  Assurance  and 
Security,  told  BanklnfoSecurity  that  high 
demand  lets  unqualified  people  to  pretend 
to  be  experts.  “Without  competition  or 
comparison,  some  of  them  are  undoubtedly 
being  employed.” 

But  more  often,  qualified  applicants  can 
be  put  off  by  what  Stroz  said  is  a  tendency  at  some  organizations 
for  the  CISO  role  to  be  a  “blame  point  rather  than  a  value  provid- 
er” — if  sensitive  data  gets  out,  the  CISO  is  blamed,  even  if  the  cause 
was  an  employee  who  “jumped  the  security  wall”  and  left  informa¬ 
tion  in  an  insecure  place. 

And  even  though  the  supply  is  expanding,  the  demand  is  ex¬ 
panding  faster.  “The  number  of  information  security  professionals 
is  projected  to  continuously  grow  more  than  11  percent  annually 
over  the  next  five  years,”  Noble  says.  “However,  even  with  annual 
growth  in  the  double  digits,  workforce  shortages  persist.” 

What  should  be  done  to  address  that  shortage?  Mostly,  security 
training  must  become  more  of  a  priority  in  mainstream  education. 
“Information  security  is  considered  one  of  the  fastest-growing  ca¬ 
reer  fields,”  Noble  says,  “yet  we  are  not  keeping  up  with  the  neces¬ 
sary  training.”  -Taylor  Armerding 


David  Shaw,  CISO  at  Purdue  University 
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Senior  Managers  Cause  Far  More  Security 
Headaches  Than  the  Workers  They  Outrank 


SENIOR  MANAGERS  ARE  THE  WORST 
offenders  when  it  comes  to  information  se¬ 
curity  breaches,  because  of  a  combination  of 
job  pressures,  busy  schedules  and  an  attitude 
that  they  are  above  the  rules,  an  expert  says. 

A  recent  study  by  Stroz  Friedberg,  which 
specializes  in  digital  forensics  and  risk  man¬ 
agement,  found  that  almost  nine  in  10  senior 
managers  regularly  uploaded  work  files  to  a 
personal  email  or  cloud  account. 

In  addition,  more  than  half  had  accidental¬ 
ly  sent  the  wrong  person  sensitive  information 
and  had  taken  files  with  them  after  leaving 
a  job.  Those  percentages-58  percent  and  51 
percent,  respectively-were  much  higher  than 
the  ones  for  general  office  workers. 

There  are  two  reasons  that  senior  man¬ 
agement  skirts  the  rules,  says  Eric  Friedberg, 
co-founder  and  executive  chairman  of  Stroz 
Friedberg.  First,  they  tend  to  be  under  a  lot  of 
pressure  due  to  their  busy  schedules,  so  they 
often  have  no  patience  for  security  measures 
that  add  time.  Second,  many  managers,  par¬ 
ticularly  in  large  organizations,  travel  a  lot  and 
often  find  themselves  in  countries  or  hotels 
where  Internet  access  is  subpar. 


“They  often  can't  deal  with  the  complex¬ 
ity  and  inconvenience  of  connecting  to  the 
corporate  network  through  a  secure  channel 
(such  as  a  virtual  private  network),"  Friedberg 
says. 

There  are  also  some  senior  managers  who 
feel  they  are  above  the  rules.  The  chairman  of 
a  public  company  Stroz  Friedberg  worked  with 
had  his  email  tapped  for  six  months  because 
he  never  changed  his  password. 

“He  just  said,  ‘I’m  above  it.  Changing  pass¬ 
words  is  not  for  me,'”  Friedberg  says. 

It’s  more  common  to  find  inflated  egos  who 
disregard  security  rules  at  companies  where 
security  is  not  practiced  and  emphasized  at 
the  C-level. 

“In  a  company  where  there’s  not  a  per¬ 
vasive  culture  of  security  emanating  from 
the  top  of  the  organization,  the  top  people 
believe  that  somehow  their  status  exempts 
them  from  corporate  policies,”  Friedberg  says. 

Fact  is,  for  a  company  to  make  good  secu¬ 
rity  practices  a  normal  part  of  doing  business, 
senior  management  has  to  abide  by  the  same 
rules  as  everyone  else. 

“That  culture  of  security  comes  from  the 


top  of  the  organization,”  Friedberg  says.  “Man¬ 
agers  and  senior  executives  have  to  be  active 
proponents  and  evangelical  about  security  as 
part  of  the  corporate  culture.” 

As  for  the  high  percentage  of  executives 
who  use  personal  email  to  upload  work  files, 
Friedberg  believes  many  do  not  understand 
the  potential  consequences:  If  a  legal  problem 
arose,  the  content  of  those  personal  accounts 
could  be  subpoenaed,  along  with  any  corpo¬ 
rate  email. 

“They  probably  don’t  realize  that  although 
they’re  transferring  things  to  their  personal 
account  for  convenience,  they’re  really  set¬ 
ting  the  groundwork  for  a  litigation  adversary 
or  regulatory  adversary  to  rummage  through 
their  personal  email  accounts  looking  for  rel¬ 
evant  corporate  information,”  Friedberg  says. 

The  Stroz  Friedberg  results  are  based  on  an 
online  survey  of  764  U.S.  information  workers 
conducted  by  KRC  Research.  The  proportions 
of  small,  medium  and  large  businesses  in  the 
sample  surveyed  matched  what  the  Census 
Bureau  reports  is  the  distribution  of  business 
sizes  in  the  U.S.  at  large. 

-Antone  Gonsalves 
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Does 

Your  Title 
Match  Your 

Authority ? 

Security  may  be  getting  more  respect  at  the  executive 
table,  but  how  much  does  a  C-level  security  title 
really  mean  when  it  comes  to  having  the  power  to 
secure  an  organization? 


Security  executives  have  taken  on  much  more  responsibility  and  vis¬ 
ibility  in  recent  years  as  threats  to  corporate  information  assets  and 
physical  resources  have  increased. 


But  do  their  titles — whether  it’s  CSO,  CISO, 
vice  president  of  security  or  other  C-level  posi¬ 
tion — always  come  with  the  authority  needed  to 
achieve  everything  they  are  responsible  for?  If  not, 
how  much  of  a  gap  is  there  between  these  execu¬ 
tives’  responsibilities  and  their  authority? 

The  short  answer  is,  it  depends  on  the  organi¬ 
zation  and  how  it  perceives  the  security  function. 
The  level  of  authority  and  influence  that  informa¬ 
tion  security  executives  wield  varies  widely  from 
organization  to  organization,  says  Steve  Durbin, 
global  vice  president  of  the  Information  Security 


Forum,  a  nonprofit  that  provides  guidance  and 
best  practices  for  all  areas  of  information  security 
and  risk  management.  And  at  a  great  many  enter¬ 
prises,  Durbin  says,  that  authority  and  influence 
is  not  sufficient. 

“If  you  look  at  some  of  the  power  players,  the 
guys  running  security  at  the  largest  organizations, 
they  say  they  do  have  the  authority  to  at  least 
accomplish  what  they  are  tasked  with,”  Durbin 
says.  “But  a  lot  of  organizations  still  don’t  get  the 
importance  of  security,”  and  that’s  reflected  in 
how  CISOs  and  other  cybersecurity  executives 
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are  treated  when  it  comes  to  author¬ 
ity,  budget  control  and  other  areas 
of  management. 

Recent  research  confirms  that 
many  organizations  undervalue 
information  security,  Durbin  says. 
For  example,  according  to  Ernst 
and  Young’s  2012  Global  Informa¬ 
tion  Security  Survey,  only  about  one 
quarter  of  the  companies  surveyed 
have  given  responsibility  for  infor¬ 
mation  security  to  the  CEO,  CFO 
or  COO— elevating  it  to  a  C -suite 
concern.  And  only  5  percent  have 
information  security  reporting  to 
the  chief  risk  officer,  the  person 
most  responsible  for  managing  the 
organization’s  risk  profile. 

“Clearly  there  is  a  mismatch  or  a 
lack  of  understanding  at  the  senior 
level  of  how  important  security  is 
and  the  level  of  [authority]  it  needs 
to  have  within  the  organization,” 
Durbin  says.  Information  security 
executives  might  be  partly  to  blame 
for  this,  he  adds. 

“In  my  experience,  generally 
speaking,  many  security  executives 
still  find  it  difficult  to  effectively 
transmit  their  message  to  C -level 
decision  makers,”  Durbin  says. 
“They  have  not  been  able  to  align 
information  security  with  business 
goals.  The  industry  in  general  has 
tended  to  overuse  the  fear,  uncer¬ 


tainty  and  doubt  methodology  to 
get  budget,  and  to  some  extent  that 
has  damaged  the  role  [of  CISOs] . 

At  many  organizations  outside 
the  Fortune  500,  the  CISO  role 
today  “lacks  the  prestige  to  accom¬ 
plish  the  information  security  goals 
the  business  requires,”  Durbin  says. 

“CISOs  have  got  a  difficult  task 
on  their  hands;  very  many  of  them 
have  come  from  technical  back¬ 
grounds  and  up  until  recently  have 
not  been  required  to  work  as  closely 
with  the  business  or  to  communi¬ 
cate  security  issues  in  a  language 
that  the  business  easily  under¬ 
stands,”  he  says. 

As  a  result,  they  continue  to 
struggle  for  the  budget  and  author¬ 
ity  they  need.  “Many  are  suffering 
from  lack  of  authority  at  a  time 
when  security  has  never  been  more 
important,”  Durbin  says. 

The  implications  of  this  are  sig¬ 
nificant:  organizations  might  not 
be  adequately  equipped  to  secure 
themselves  against  cybercrime, 
which  continues  to  increase  in 
sophistication  and  scope.  At  those 
organizations  that  lack  a  strong 
security  authority,  senior  busi¬ 
ness  leaders  could  end  up  making 
decisions  without  having  sufficient 
information  about  threats  and 
solutions. 


Lacking  Authority 

One  security  executive,  who  did 
not  want  his  name  or  organization 
identified,  says  he  does  not  have 
the  full  authority  to  achieve  all  his 
goals  directly,  and  thinks  this  is  true 
of  many  of  his  peers  in  other  indus¬ 
tries.  He  says,  “This  is  probably  as 
it  should  be,  since  security  is  always 
the  junior  partner  in  any  business 
enterprise.” 

The  executive  points  out  that 
organizational  structures  “differ 
everywhere,  with  the  senior  secu¬ 
rity  official  reporting  to  a  variety 
of  senior  executives,  from  [human 
resources]  to  legal  to  operations. 
There  is  no  standard  solution  for 
this  and  corporate  culture  will  dic¬ 
tate  how  this  is  done.” 

One  issue  that  the  anonymous 
security  executive  has  to  deal  with 
is  the  fact  that  there  is  no  central 
security  budget  at  his  organization. 
Security  is  diffused  throughout  the 
organization,  and  so  is  the  bud¬ 
get,  he  says.  Since  security  is  seen 
essentially  as  a  service  at  every 
level  in  the  organization,  various 
elements  of  it  are  paid  for  through 
the  budgets  of  a  number  of  other 
departments. 

The  bottom  line  is  that  “enter¬ 
prise  security  is  an  expense  and 
does  not  generate  revenue,  so  it 


“If  you  look  at  some  of  the  power 
players,  the  guys  running  security 
at  the  largest  organizations, 
they  say  they  do  have  the 
authority  to  at  least  accomplish 
what  they  are  tasked  with.” 


-STEVE  DURBIN,  GLOBAL  V.P.,  THE  INFORMATION  SECURITY  FORUM 
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can  be  an  uphill  battle  to  add  things 
like  extra  staffing  with  all  the  loaded 
costs,”  the  executive  says. 

Another  challenge  he  faces  is  that 
the  security  function  rarely  encom¬ 
passes  both  physical  security  and 
cybersecurity,  “so  these  two  essen¬ 
tial  security  functions  often  do  not 
coordinate  all  that  well  or  receive 
the  same  attention  from  business 
leaders,”  he  says. 

Leaders  are  generally  more  com¬ 
fortable  with  the  more  traditional 
field  of  physical  security  and  feel 
much  less  at  ease  on  the  cyber  side, 
the  executive  says. 

“This  means  the  IT  staff  becomes 
the  de  facto  security  chief  for  cyber, 
which  is  a  little  like  the  fox  looking 
after  the  henhouse,”  he  says. 

“There  ought  to  be  a  single  exec¬ 
utive  in  every  organization  who 
the  boss  can  go  to  for  all  security 
solutions.” 

At  some  companies,  particularly 
subsidiaries  of  large,  global  enter¬ 
prises,  the  organizational  structure 
of  the  business  can  limit  the  author¬ 
ity  of  security  executives. 

As  CISO  and  IT  risk  leader  at 
commercial  finance  provider  GE 
Capital  Americas,  James  Beeson 
has  authority  over  decisions  such  as 
updating  security  software  releases 
and  tweaking  security  policies  to 
make  them  stronger.  But  making 
larger-scale  decisions  on  security 
strategy  for  the  company  is  a  more 
complex  proposition. 

“Within  our  business  unit,  I  have 
the  full  support  of  senior  leadership 
and  the  CIO  to  go  get  done  what  I 
have  to  get  done  in  order  to  get  us 
compliant”  with  parent  company 
GE’s  security  requirements,  Bee¬ 
son  says.  “What  I  don’t  have  the 
authority  to  do  is  make  [broad] 
policy  decisions”  that  go  beyond 
the  confines  of  GE’s  overall  secu¬ 
rity  strategy. 

The  way  GE  is  organized,  the  par¬ 


ent  company  has  its  own  security 
department  and  leadership,  as  does 
its  GE  Capital  unit  and  GE  Capital 
Americas.  The  parent  company  and 
GE  Capital  each  have  CISO  coun¬ 
cils,  of  which  Beeson  is  a  member. 

As  a  member,  Beeson  can  suggest 
new  technologies  for  the  councils  to 
consider  and  can  recommend  ways 
to  strengthen  security  postures  at 
the  companies. 

“I  can  influence  those  [councils], 
but  not  in  terms  of  decision  making 
and  the  authority  to  actually  move 
things  forward,”  Beeson  says.  He 
frequently  has  to  go  through  the 
councils  for  approvals  on  key  secu¬ 
rity  technologies  or  major  changes 
in  security  policy  or  procedures. 

“My  boss  looks  to  me  to  oversee 
[security]  for  the  GE  Capital  Amer¬ 
icas  business,”  Beeson  says.  “But  I 
might  not  be  able  to  pick  a  tool  or 
technology  or  revise  a  policy.  That’s 
not  so  simple.” 

The  Value  of  Security 

Some  executives  are  comfortable 
with  the  level  of  authority  secu¬ 
rity  chiefs  have.  “I  believe  that 
most  companies  do  give  their 
[CISOs  and  CSOs]  the  authority 
the  achieve  success,”  says  Roland 
Cloutier,  CSO  at  Automatic  Data 
Processing  (ADP),  a  provider  of 
human  resources,  payroll,  tax  and 
benefits  administration  services. 

“Authority  does  not  mean  unlim¬ 
ited  resources  or  a  ‘yes’  to  every 
security,  risk  or  privacy  program 
they  want  to  implement,”  Clout¬ 
ier  says.  Rather,  it’s  a  workspace 
that  understands  the  need  for  an 
executive  security  leader,  provides 
mechanisms  for  professional  input 
and  collaboration,  and  promotes 
the  opportunity  for  careful  con¬ 
sideration  of  business-impacting 
issues,  he  says. 

“Typically,  if  a  company  has  made 
the  commitment  to  staff  a  CISO/ 


CSO-like  position,  [it  has]  taken  a 
very  important  first  step,”  Cloutier 
says.  “Often  it  is  the  responsibility 
of  that  security  executive  to  define 
success  for  their  organization  and 
develop  and  deliver  the  business 
impact  efforts  necessary  to  drive 
the  results.” 

In  Cloutier’s  experience,  busi¬ 
nesses  that  have  difficulty  taking 
a  balanced  approach  to  effective 
security  typically  have  issues  in 
either  governance  and  oversight  or 
segregation  of  duties. 

“First,  without  an  established 
authoritative  executive  oversight 
group  that  provides  guidance  to  a 
security  program,  [then]  prioritiza¬ 
tion,  business  alignment  and  cross¬ 
business  visibility  is  very  difficult 
to  achieve,”  Cloutier  says.  “Those 
basic  concepts  are  fundamental  to 
the  success  of  any  given  program, 
not  just  security.” 

Regarding  segregation  of  duties, 
those  security  organizations  that 
are  operationally  managed  by  a 
group  that  has  contrasting  ideas 
about  security,  risk  or  privacy  func¬ 
tions  often  find  themselves  incapa¬ 
ble  of  solving  problems,  thanks  to 
management,  financial  or  organiza¬ 
tional  issues. 

“Here  at  ADP,  we  have  taken 
great  lengths  [to  implement]  cross- 
divisional  and  corporate  oversight 
alignment  through  an  executive 
security  council,  and  treat  our  secu¬ 
rity  and  privacy  program  like  other 
risk  organizations,  as  components 
of  the  office  of  the  CFO,”  Cloutier 
says. 

The  company  views  its  security, 
operational  risk  and  privacy  pro¬ 
grams  as  elements  of  its  overall  risk 
position,  Cloutier  says.  “In  our  gov¬ 
ernance,  it  is  the  office  of  the  CFO 
that  is  responsible  for  maintaining 
ADP’s  overall  enterprise  risk  pos¬ 
ture,  and  so  that  is  where  the  CSO 
position  reports  to,”  he  says. 
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“Authority  does  not  mean 
unlimited  resources  or  a  ‘yes7  to 
every  security,  risk  or  privacy 
program  they  want  to  implement.77 

-ROLAND  CLOUTIER,  CSO,  AUTOMATIC  DATA  PROCESSING 


At  companies  where  security  is 
the  main  focus  of  the  business,  the 
security  executive  role  takes  on  a 
huge  importance.  For  example,  at 
Websense,  a  provider  of  Web,  email 
and  mobile  security  technology, 
Chief  Security  and  Strategy  Offi¬ 
cer  Jason  Clark  not  only  oversees 
IT  strategy  and  reviews  all  IT  proj¬ 
ects,  but  also  is  deeply  involved 
in  business  decisions,  including 
investments,  market  strategy  and 
partnerships. 

“My  leadership  extends  across 
four  individual  areas — and  requires 
buy-in  from  the  executive  suite,  IT, 
engineering,  marketing  and  sales,” 
Clark  says.  “I  act  as  a  voice  of  our 
customers  during  product  devel¬ 
opment  to  provide  a  real-world 
perspective.” 

The  security  budget  Clark  con¬ 
trols  is  distributed  between  IT  and 
marketing.  “This  process  encour¬ 
ages  internal  collaboration  across 
departments  and  frees  me  from 
administrative  issues,”  he  says. 
“This  has  also  allowed  me  to  build  a 
unique  team  in  the  office  of  the  CSO, 
which  helps  to  further  evangelize 
our  processes.  We  are  free  to  actu¬ 
ally  implement  the  many  internal 
and  external  security  ideas  that  we 
create,  and  more  efficiently  priori¬ 
tize  these  with  other  organizational 
demands.” 

Websense’s  CIO  handles  the 


operational  side  of  its  IT  security 
while  Clark  oversees  the  strategy 
and  projects. 

“It’s  a  strong  relationship  that 
allows  me  to  use  my  business  and 
security  expertise  to  advise  execu¬ 
tives  on  successful  strategies  to 
improve  their  IT  infrastructure 
and  more  effectively  secure  our 
organization.” 

A  New  Look 

In  the  coming  months,  many  orga¬ 
nizations  will  change  the  way  they 
look  at  security  and  how  it  is  man¬ 
aged  within  the  enterprise,  and  the 
CISO  role  will  evolve,  Durbin  says. 
CISOs  must  refocus  security  to 
take  their  organizations  from  cri¬ 
sis  response  and  compliance  mode 
to  proactive  risk  management,  he 
says. 

This  is  already  happening  at 
some  businesses.  Durbin  cites  a 
bank  that  is  splitting  up  the  CISO 
role  among  multiple  individuals, 
each  responsible  for  different  seg¬ 
ments  of  the  company.  They  work 
as  a  team  that  reports  to  the  COO, 
ensuring  C -level  support. 

“There’s  another  organization  I 
know  of  where  security  now  reports 
through  to  the  chief  strategy  officer,” 
Durbin  says.  “I  like  that  because 
security  then  has  alignment  with 
strategy.”  At  a  third  company,  in  the 
media  industry,  the  CISO  works  on 


a  consultative  basis  with  the  busi¬ 
ness,  taking  on  security  projects  as 
needed.  This  enables  to  the  CISO  to 
showcase  his  expertise  in  security 
in  addition  to  helping  the  company 
meet  its  business  goals,  he  says. 

In  fact,  the  role  of  CISO  is  likely 
to  morph  into  more  of  a  consulta¬ 
tive  function,  Durbin  says.  “CISOs 
will  need  to  be  consultants  and 
salesmen,”  he  says.  “They  need  to 
be  able  to  look  into  the  business 
strategy  and  then  sell  the  appro¬ 
priate  concepts  of  how  to  manage 
information  security  risk  in  a  con¬ 
sultative  fashion.” 

In  time,  “we  may  see  the  arrival  of 
a  new  [position]  at  the  board  level, 
like  chief  digital  officer,  someone 
responsible  for  managing  the  orga¬ 
nization’s  role  in  cyberspace  and 
who  naturally  oversees  all  cyberse¬ 
curity  matters,”  Durbin  says. 

Regardless  of  how  things  pan 
out  for  security  executives,  orga¬ 
nizations  need  to  take  steps  to 
strengthen  the  security  function. 

“There  is  clearly  a  gap;  the  ques¬ 
tion  is ,  how  do  we  bridge  it  ?  ”  Durbin 
says.  “As  we  move  more  into  the 
cloud,  mobile  technology  and  social 
media,  it’s  especially  incumbent  on 
businesses  to  understand  the  risk.” 


■  Bob  Violino  is  a  freelance  writer 
and  editor.  He  can  be  reached  at 
bviolino@optonline.net. 
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Ten  Tweets  Trey  Ford 

@treyford 

Trey  Ford,  general  manager  of  Black  Hat,  tells  us  how  the 
organization  is  evolving  and  how  the  NSA  revelations  have 
actually  helped  infosec,  all  in  140  characters  or  less. 


CSO:  You  recently  wrapped  another  Black  Hat.  How  do  you 
think  this  year’s  event  went? 

Trey  Ford:  Black  Hat  had  a  solid  year.  Surveillance 
revelations  challenged  our  community,  raising  infosec  into 
the  spotlight. 


Do  you  think  surveillance  and  the  NSA  controversy  will  be  a 
continued  focus  of  planning  and  discussion  for  Black  Hat  in 
2014? 

I  am  confident  people  are  always  thinking  about  privacy. 
Encryption,  operational  security  and  related  topics  will  be 
on  the  rise. 


So  would  you  say  the  NSA  revelations  have  been  a  good  thing 
for  infosec,  in  terms  of  exposure  and  attention? 

In  terms  of  exposure  and  attention— absolutely.  The 
NSA  revelations  brought  infosec  discussions  to  dinner 
tables  around  the  world.  It’s  kind  of  a  shame  that  it  takes 
negative  events  to  garner  that  level  of  attention. 


Back  to  Black  Hat:  How  do  you  think  the  event  itself  has  evolved 
in  the  past  several  years?  Have  you  observed  any  major  changes? 

BlackHat  evolves  with  the  community,  listens  aggressively, 
invests  internationally  and  is  increasing  transparency  with 
our  review  board. 


Anything  new  or  different  in  the  early  works  for  next  summer's 
BlackHat? 

Excited  about  moving  to  Mandalay  Bay  in  2014—1  can’t 
share  much....  Training  is  growing:  watch  for  more  hands-on 
workshops! 


Understood.  Tell  us  about  yourself.  How  did  you  get  into  infosec? 

Infosec  has  no  shortage  of  change  or  challenge.  Like  most,  I 
fell  into  and  in  love  with  it.  It  is  kind  of  a  calling. 


Now  that  you’ve  been  in  the  field  for  a  while,  what  do  you  like 
best  about  your  job  ?  Or  about  the  infosec  industry? 

The  diversity  of  people,  perspectives  and  challenges  we 
face.  Effective  collaboration  fuels  me. 


What  about  when  you’re  not  working  in  infosec?  What  do  you 
like  to  do  outside  of  your  work  with  Black  Hat  ? 

Outside  work,  you  can  probably  find  me  cooking  with  my 
wife,  riding  a  motorcycle,  flying  a  plane...dreaming  of  and 
seeking  adventure. 


Complete  this  sentence:  If  I  weren’t  working  in  security,  I  would 
be _ . 

I’d  be  trying  to  find  away  to  pay  the  bills  flying  aircraft. 
Preferably  at  air  shows.  Yeah...definitely  flying  in  air  shows. 


Always  good  to  set  your  sights  high  (bad  pun  intended).  Our  10 
tweets  are  up.  Pass  the  buck:  Who  should  @csoonline  tweet 
with  next? 

You  should  chat  with  one  of  the  Black  Hat  Review  Board. 
I’m  sure  @RSnake  or  @WeldPond  would  be  up  for  the 
challenge. 


As  of  press  time,  Trey  Ford  is  no  longer  working  for  Black  Hat 
and  is  now  an  independent  security  research  advocate. 
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ADVERTORIAL 


The  Gap  Between 
and  Potential 

Many  organizations  face  significant  governance,  risk, 
and  compliance  (GRC)  challenges,  spanning  not  only 
multiple  internal  departments,  but  multiple  external 
entities  as  well.  The  number  of  regulations  and 
compliance  issues  are  growing,  but  resources  with 
which  to  manage  them  are  not. 

Lack  of  ownership  and  the  absence  of  a  common 
definition  of  GRC  programs  and  objectives  across  the 
enterprise  are  significant  hurdles  for  many  orga¬ 
nizations.  Oftentimes,  GRC  processes  are  siloed, 
making  it  difficult  to  coordinate  and  align  the  requi¬ 
site  processes  and  identify  opportunities  for  greater 
efficiency. 

Siloed  GRC  processes  are  not  the  only  issue. 

Manual  processes  are  time  consuming  and  ineffi¬ 
cient,  while  the  use  of  point  technology  solutions 
that  don't  share  data  limits  the  value  of  their  insight. 

The  Current  GRC  Landscape: 

Fragmented  and  Frustrating 

The  results  of  a  new  IDG  Research  survey  of  infor¬ 
mation  technology  leaders,  "CSO  Market  Pulse: 

Governance,  Risk  and  Compliance  (GRC),"  confirm 
the  existence  of  this  fragmented  and  frustrating 
GRC  landscape.  The  survey  reveals  a  gap  between 
GRC  reality  and  GRC  potential.  Organizations  have 
invested  significant  resources  in  discrete  solutions 
to  help  ensure  compliance,  but  this  approach  has 
led  to  applications  that  don't  share  data.  In  addition, 
organizations'  approaches  and  methodologies  for 
identifying  and  managing  risk  are  highly  varied  across 
the  enterprise,  and  many  of  these  processes  are  ad 
hoc  and  not  highly  automated. 

The  problem  will  likely  only  worsen  because,  as 
the  regulatory  landscape  continues  to  evolve,  siloed 
applications  don't  provide  a  consistent  way  to  share 
information.  As  a  result,  many  organizations  cannot 
take  advantage  of  integrated  capabilities  provided  by 
a  consolidated  GRC  technology  platform. 
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Enterprises  need  to  look  across  their  organizations 
and  identify  the  functions  that  are  critical  to.  helping 
manage  risk  and  compliance.  They  should  consider 
simplifying  how  these  functions  interoperate  and,  if 
necessary,  change  the  structures  that  govern  data 
currently.  That  potentially  means  integrating  many 
of  the  independent  processes  they've  developed 
over  the  years  into  coordinated  activities  that  can 
more  easily  share  data. 

The  Payoff  of  an  Integrated  Set  of 
GRC  Capabilities 

GRC  enables  this  integration  because  it's  an  enter¬ 
prise  approach  to  tying  together  business  func¬ 
tions— IT,  operations,  finance,  legal— with  business 
processes  supporting  risk  or  compliance  functions. 
Initially,  organizations  can  reduce  duplicate  and 
inconsistent  efforts.  Done  well,  GRC  can  also  help 
improve  reporting,  providing  the  underlying  founda¬ 
tion  for  improved  analytics,  and  the  ability  to  dissemi¬ 
nate  those  analytics  with  consistent  data  to  a  variety 
of  dashboards.  Doing  so  reduces  the  time  it  takes  to 
gain  insight,  which  gives  organizations  the  ability  to 
analyze  risk  and  compliance  from  a  more  proactive 
standpoint. 

When  organizations  create  an  infrastructure  for 
enterprise-wide  improvement— one  that  accom¬ 
modates  the  common  GRC  processes  in  different 
departments  and  allows  them  to  be  integrated  into 
a  single  view— GRC  becomes  the  foundation  for 
better  operations,  analytics,  and  security. 

By  replacing  manual  processes  with  automated 
ones,  and  by  replacing  siloed  insight  with  an 
enterprise-wide  perspective,  organizations  can 
close  the  gap  between  their  GRC  potential  and  their 
GRC  reality.  ■ 


For  more  insights  and  features  on  security 
from  RSA,  visit 

http://www.emc.com/emc-plus/rsa-thought-leadership/ 

index.htm 

For  more  on  how  Deloitte  helps  organizations 
address  risk,  visit 

www.deloitte.com/us/securityandprivacysolutions 


